From 01fe1111d00783b527440fee56551533353ea359 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 31 Jul 2024 18:04:52 -0400 Subject: [PATCH 01/35] add operators_ns --- README.md | 38 +++++++++++++++++++++++++++++++++++--- main.tf | 9 +++++++++ version.tf | 2 +- 3 files changed, 45 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 47d7d46..4a9a60b 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,8 @@ coredns kube-proxy # CHANGELOG +* 0.0.4 -- 2024-07-31 + - add operators_ns * 0.0.3 -- 2024-07-30 - updated to use karpenter - misc cleanup @@ -24,6 +26,9 @@ kube-proxy - update upstream cluster module to 20.20.0 - created changelog + +## Requirements + | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13 | @@ -39,13 +44,17 @@ kube-proxy | Name | Version | |------|---------| | [aws](#provider\_aws) | >= 5.14.0 | +| [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | >= 5.14.0 | +| [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | >= 5.14.0 | +| [aws.self](#provider\_aws.self) | >= 5.14.0 | +| [kubernetes](#provider\_kubernetes) | n/a | | [null](#provider\_null) | >= 3.2.1 | ## Modules | Name | Source | Version | |------|--------|---------| -| [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.8.5 | +| [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.20.0 | | [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | @@ -55,17 +64,30 @@ kube-proxy | Name | Type | |------|------| +| [aws_ec2_tag.container-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource | +| [aws_ec2_tag.lb-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource | +| [aws_route53_vpc_association_authorization.self_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource | +| [aws_route53_vpc_association_authorization.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource | +| [aws_route53_zone.cluster_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource | +| [aws_route53_zone_association.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource | +| [aws_route53_zone_association.self_zone_west](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource | | [aws_security_group.additional_eks_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource | +| [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [null_resource.kube_config_create](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_route53_zone.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | +| [aws_subnets.container-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | +| [aws_subnets.lb-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | | [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | +| [aws_vpc.dummy_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | | [aws_vpc.eks_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | ## Inputs @@ -73,24 +95,34 @@ kube-proxy | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no | +| [account\_id](#input\_account\_id) | AWS account id | `string` | `""` | no | | [aws\_environment](#input\_aws\_environment) | AWS Environment (govcloud \| east-west) | `string` | `""` | no | | [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | 
[
  "148.129.0.0/16",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | This allows to access the cluster from IEB cloud host | `bool` | `false` | no | | [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes | | [cluster\_version](#input\_cluster\_version) | The Kubernetes version number to use for this EKS cluster. See https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html | `string` | `"1.27"` | no | -| [domain](#input\_domain) | The DNS domain name of the cluster. | `string` | n/a | yes | | [eks\_instance\_disk\_size](#input\_eks\_instance\_disk\_size) | The size of the disk of the worker nodes in gigabytes. 40 is the approximate minimum. Needs to hold the all of the normal operating system files plus every image that will be used in the cluster. | `number` | `80` | no | | [eks\_instance\_types](#input\_eks\_instance\_types) | EKS worker node instance types | `list(string)` | 
[
  "t3.xlarge"
]
| no | | [eks\_ng\_desired\_size](#input\_eks\_ng\_desired\_size) | Node Group desired size | `number` | `4` | no | | [eks\_ng\_max\_size](#input\_eks\_ng\_max\_size) | Node Group maximum size | `number` | `15` | no | | [eks\_ng\_min\_size](#input\_eks\_ng\_min\_size) | Node Group minimum size | `number` | `4` | no | | [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry | `bool` | `false` | no | +| [lb\_subnets\_name](#input\_lb\_subnets\_name) | Define the name of the subnets to be used by this cluster | `string` | `"*-private-lb-*"` | no | +| [main\_dns\_profile](#input\_main\_dns\_profile) | Profile name for AWS for the main DNS central account | `string` | `"269244441389-lab-gov-network-nonprod"` | no | +| [main\_dns\_vpcs](#input\_main\_dns\_vpcs) | Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS | `map(string)` | 
{
  "us-gov-east-1": "vpc-070595c5b133243dd",
  "us-gov-west-1": "vpc-08b7b4db6a5ddf9c1"
}
| no | | [operators\_ns](#input\_operators\_ns) | Namespace to create where operators will be installed. | `string` | `"operators"` | no | +| [os\_username](#input\_os\_username) | OS username from environment variable, ideally as $USER | `string` | `null` | no | | [profile](#input\_profile) | AWS config profile | `string` | `""` | no | +| [region](#input\_region) | AWS config region | `string` | `""` | no | +| [region\_map](#input\_region\_map) | AWS region map | `map(string)` | 
{
  "east": "us-gov-east-1",
  "west": "us-gov-west-1"
}
| no | +| [route53\_endpoints](#input\_route53\_endpoints) | Map of target route53 endpoints (for inbound) central VPCs | `map(map(string))` | 
{
  "route53_main": {
    "account_id": "269244441389",
    "alias": "lab-gov-network-nonprod",
    "us-gov-east-1": "vpc-070595c5b133243dd",
    "us-gov-west-1": "vpc-08b7b4db6a5ddf9c1"
  }
}
| no | +| [shared\_vpc\_label](#input\_shared\_vpc\_label) | Label to use for shared VPC for flowlogs and other things | `string` | `null` | no | | [subnets\_name](#input\_subnets\_name) | Define the name of the subnets to be used by this cluster | `string` | `"*-container-*"` | no | | [tag\_costallocation](#input\_tag\_costallocation) | Tag CostAllocation (default) | `string` | `"csvd:infrastructure"` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no | +| [vpc\_domain\_name](#input\_vpc\_domain\_name) | The DNS domain name of the vpc the cluster is in. | `string` | n/a | yes | | [vpc\_name](#input\_vpc\_name) | Define the VPC name that will be used by this cluster | `string` | n/a | yes | +| [zone\_ids](#input\_zone\_ids) | List of Route53 PHZ IDs to associate with a (local/remote) VPC | `list(string)` | `[]` | no | ## Outputs @@ -100,7 +132,6 @@ kube-proxy | [cloudwatch\_log\_group\_name](#output\_cloudwatch\_log\_group\_name) | Name of cloudwatch log group created | | [cluster\_addons](#output\_cluster\_addons) | Map of attribute maps for all EKS cluster addons enabled | | [cluster\_arn](#output\_cluster\_arn) | The Amazon Resource Name (ARN) of the cluster | -| [cluster\_autoscaler\_role\_name](#output\_cluster\_autoscaler\_role\_name) | | | [cluster\_certificate\_authority\_data](#output\_cluster\_certificate\_authority\_data) | Base64 encoded certificate data required to communicate with the cluster | | [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for your Kubernetes API server | | [cluster\_fqdn](#output\_cluster\_fqdn) | The cluster\_name.domain | @@ -126,6 +157,7 @@ kube-proxy | [kms\_key\_policy](#output\_kms\_key\_policy) | The IAM resource policy set on the key | | [module\_name](#output\_module\_name) | The name of this module. | | [module\_version](#output\_module\_version) | The version of this module. | +| [node\_group\_name](#output\_node\_group\_name) | ############################################################################### Additional ############################################################################### output "cluster\_autoscaler\_role\_name" { value = module.cluster\_autoscaler\_irsa\_role.iam\_role\_name } | | [node\_security\_group\_arn](#output\_node\_security\_group\_arn) | Amazon Resource Name (ARN) of the node shared security group | | [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group | | [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) | diff --git a/main.tf b/main.tf index 60f4400..3a03cd2 100644 --- a/main.tf +++ b/main.tf @@ -176,3 +176,12 @@ resource "null_resource" "kube_config_create" { command = "aws eks --region ${data.aws_region.current.name} update-kubeconfig --name ${module.cluster.cluster_name} --profile=${var.profile} && export KUBE_CONFIG_PATH=~/.kube/config && export KUBERNETES_MASTER=~/.kube/config" } } + +#### NEED TO MOVE THIS TO A PROPER PLACE - Added to tfmod-eks to validate kube_config_create +#### 07-31-2024 - mcm (remove this if group decides on putting in config) +resource "kubernetes_namespace" "operators" { + depends_on = [null_resource.kube_config_create] + metadata { + name = var.operators_ns + } +} diff --git a/version.tf b/version.tf index 04110bc..96080a9 100644 --- a/version.tf +++ b/version.tf @@ -1,4 +1,4 @@ locals { _module_name = "tfmod-eks" - _module_version = "0.0.3" + _module_version = "0.0.4" } From e3c904b53bc5e816fdf8d7f0cd4593c7ac8b7eaf Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 31 Jul 2024 18:10:50 -0400 Subject: [PATCH 02/35] repo features --- .pre-commit-config.yaml | 21 +++++++++++++++++++ .terraform-docs.yml | 45 +++++++++++++++++++++++++++++++++++++++++ .tflint.hcl | 21 +++++++++++++++++++ 3 files changed, 87 insertions(+) create mode 100644 .pre-commit-config.yaml create mode 100644 .terraform-docs.yml create mode 100644 .tflint.hcl diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..d84ca6d --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,21 @@ +repos: +- repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.62.1 + hooks: + - id: terraform_validate + - id: terraform_fmt + - id: terraform_docs + args: + - --args=--config=.terraform-docs.yml + # exclude: version.tf + exclude: examples/ + - id: terraform_tflint + args: [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"] + exclude: examples/ + +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.0.1 + hooks: + - id: check-symlinks + - id: detect-aws-credentials + - id: detect-private-key diff --git a/.terraform-docs.yml b/.terraform-docs.yml new file mode 100644 index 0000000..b79e5b5 --- /dev/null +++ b/.terraform-docs.yml @@ -0,0 +1,45 @@ +formatter: markdown table + +header-from: main.tf +footer-from: "" + +sections: +## hide: [] + show: + - data-sources + - header + - footer + - inputs + - modules + - outputs + - providers + - requirements + - resources + +output: + file: README.md + # mode: replace + mode: inject + template: |- + + {{ .Content }} + + +## output-values: +## enabled: false +## from: "" +## +## sort: +## enabled: true +## by: name +## +## settings: +## anchor: true +## color: true +## default: true +## description: false +## escape: true +## indent: 2 +## required: true +## sensitive: true +## type: true diff --git a/.tflint.hcl b/.tflint.hcl new file mode 100644 index 0000000..fcc2fa8 --- /dev/null +++ b/.tflint.hcl @@ -0,0 +1,21 @@ +config { + module = true + force = false + disabled_by_default = false + +# ignore_module = { +# "terraform-aws-modules/vpc/aws" = true +# "terraform-aws-modules/security-group/aws" = true +# } + +# varfile = ["example1.tfvars", "example2.tfvars"] +# variables = ["foo=bar", "bar=[\"baz\"]"] +} + +rule "aws_instance_invalid_type" { + enabled = true +} + +plugin "aws" { + enabled = true +} From 720439ad01342122b81b94286daf8cedfc03ded5 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 31 Jul 2024 18:53:14 -0400 Subject: [PATCH 03/35] fmt --- .pre-commit-config.yaml | 72 +++++++++++++---- .pre-commit-hooks.yaml | 169 ++++++++++++++++++++++++++++++++++++++++ .terraform-docs.yml | 41 +++++----- .tflint.hcl | 16 ++-- README.md | 14 ++-- 5 files changed, 260 insertions(+), 52 deletions(-) create mode 100644 .pre-commit-hooks.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d84ca6d..6944a0a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,21 +1,61 @@ repos: -- repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.62.1 - hooks: - - id: terraform_validate - - id: terraform_fmt - - id: terraform_docs - args: - - --args=--config=.terraform-docs.yml - # exclude: version.tf - exclude: examples/ - - id: terraform_tflint - args: [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"] - exclude: examples/ - - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.0.1 + rev: v4.6.0 hooks: - - id: check-symlinks + # Git style + - id: check-added-large-files + - id: check-merge-conflict + - id: check-vcs-permalinks + - id: forbid-new-submodules + - id: no-commit-to-branch + + # Common errors + - id: end-of-file-fixer + - id: trailing-whitespace + args: [--markdown-linebreak-ext=md] + exclude: CHANGELOG.md + - id: check-yaml + - id: check-merge-conflict + - id: check-executables-have-shebangs + + # Cross platform + - id: check-case-conflict + - id: mixed-line-ending + args: [--fix=lf] + + # Security - id: detect-aws-credentials + args: ['--allow-missing-credentials'] - id: detect-private-key + + +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shfmt + args: ['-l', '-i', '2', '-ci', '-sr', '-w'] + - id: shellcheck + +# Dockerfile linter +- repo: https://github.com/hadolint/hadolint + rev: v2.12.1-beta + hooks: + - id: hadolint + args: [ + '--ignore', 'DL3007', # Using latest + '--ignore', 'DL3013', # Pin versions in pip + '--ignore', 'DL3027', # Do not use apt + '--ignore', 'DL3059', # Docker `RUN`s shouldn't be consolidated here + '--ignore', 'DL4006', # Not related to alpine + '--ignore', 'SC1091', # Useless check + '--ignore', 'SC2015', # Useless check + '--ignore', 'SC3037', # Not related to alpine + ] + +# JSON5 Linter +- repo: https://github.com/pre-commit/mirrors-prettier + rev: v3.1.0 + hooks: + - id: prettier + # https://prettier.io/docs/en/options.html#parser + files: '.json5$' diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml new file mode 100644 index 0000000..520c3f0 --- /dev/null +++ b/.pre-commit-hooks.yaml @@ -0,0 +1,169 @@ +- id: infracost_breakdown + name: Infracost breakdown + description: Check terraform infrastructure cost + entry: hooks/infracost_breakdown.sh + language: script + require_serial: true + files: \.(tf(vars)?|hcl)$ + exclude: \.terraform/.*$ + +- id: terraform_fmt + name: Terraform fmt + description: Rewrites all Terraform configuration files to a canonical format. + entry: hooks/terraform_fmt.sh + language: script + files: (\.tf|\.tfvars)$ + exclude: \.terraform/.*$ + +- id: terraform_docs + name: Terraform docs + description: Inserts input and output documentation into README.md (using terraform-docs). + require_serial: true + entry: hooks/terraform_docs.sh + language: script + files: (\.tf|\.terraform\.lock\.hcl)$ + exclude: \.terraform/.*$ + +- id: terraform_docs_without_aggregate_type_defaults + name: Terraform docs (without aggregate type defaults) + description: Inserts input and output documentation into README.md (using terraform-docs). Identical to terraform_docs. + require_serial: true + entry: hooks/terraform_docs.sh + language: script + files: (\.tf)$ + exclude: \.terraform/.*$ + +- id: terraform_docs_replace + name: Terraform docs (overwrite README.md) + description: Overwrite content of README.md with terraform-docs. + require_serial: true + entry: terraform_docs_replace + language: python + files: (\.tf)$ + exclude: \.terraform/.*$ + +- id: terraform_validate + name: Terraform validate + description: Validates all Terraform configuration files. + require_serial: true + entry: hooks/terraform_validate.sh + language: script + files: \.(tf(vars)?|terraform\.lock\.hcl)$ + exclude: \.terraform/.*$ + +- id: terraform_providers_lock + name: Lock terraform provider versions + description: Updates provider signatures in dependency lock files. + require_serial: true + entry: hooks/terraform_providers_lock.sh + language: script + files: (\.terraform\.lock\.hcl)$ + exclude: \.terraform/.*$ + +- id: terraform_tflint + name: Terraform validate with tflint + description: Validates all Terraform configuration files with TFLint. + require_serial: true + entry: hooks/terraform_tflint.sh + language: script + files: (\.tf|\.tfvars)$ + exclude: \.terraform/.*$ + +- id: terragrunt_fmt + name: Terragrunt fmt + description: Rewrites all Terragrunt configuration files to a canonical format. + entry: hooks/terragrunt_fmt.sh + language: script + files: (\.hcl)$ + exclude: \.terraform/.*$ + +- id: terragrunt_validate + name: Terragrunt validate + description: Validates all Terragrunt configuration files. + entry: hooks/terragrunt_validate.sh + language: script + files: (\.hcl)$ + exclude: \.terraform/.*$ + +- id: terragrunt_validate_inputs + name: Terragrunt validate inputs + description: Validates Terragrunt unused and undefined inputs. + entry: hooks/terragrunt_validate_inputs.sh + language: script + files: (\.hcl)$ + exclude: \.terraform/.*$ + +- id: terragrunt_providers_lock + name: Terragrunt providers lock + description: Updates provider signatures in dependency lock files using terragrunt. + entry: hooks/terragrunt_providers_lock.sh + language: script + files: (terragrunt|\.terraform\.lock)\.hcl$ + exclude: \.(terraform/.*|terragrunt-cache)$ + +- id: terraform_tfsec + name: Terraform validate with tfsec (deprecated, use "terraform_trivy") + description: Static analysis of Terraform templates to spot potential security issues. + require_serial: true + entry: hooks/terraform_tfsec.sh + files: \.tf(vars)?$ + language: script + +- id: terraform_trivy + name: Terraform validate with trivy + description: Static analysis of Terraform templates to spot potential security issues. + require_serial: true + entry: hooks/terraform_trivy.sh + files: \.tf(vars)?$ + language: script + +- id: checkov + name: checkov (deprecated, use "terraform_checkov") + description: Runs checkov on Terraform templates. + entry: checkov -d . + language: python + pass_filenames: false + always_run: false + files: \.tf$ + exclude: \.terraform/.*$ + require_serial: true + +- id: terraform_checkov + name: Checkov + description: Runs checkov on Terraform templates. + entry: hooks/terraform_checkov.sh + language: script + always_run: false + files: \.tf$ + exclude: \.terraform/.*$ + require_serial: true + +- id: terraform_wrapper_module_for_each + name: Terraform wrapper with for_each in module + description: Generate Terraform wrappers with for_each in module. + entry: hooks/terraform_wrapper_module_for_each.sh + language: script + pass_filenames: false + always_run: false + require_serial: true + files: \.tf$ + exclude: \.terraform/.*$ + +- id: terrascan + name: terrascan + description: Runs terrascan on Terraform templates. + language: script + entry: hooks/terrascan.sh + files: \.tf$ + exclude: \.terraform/.*$ + require_serial: true + +- id: tfupdate + name: tfupdate + description: Runs tfupdate on Terraform templates. + language: script + entry: hooks/tfupdate.sh + args: + - --args=terraform + files: \.tf$ + require_serial: true diff --git a/.terraform-docs.yml b/.terraform-docs.yml index b79e5b5..fabfb8d 100644 --- a/.terraform-docs.yml +++ b/.terraform-docs.yml @@ -5,7 +5,7 @@ footer-from: "" sections: ## hide: [] - show: + show: - data-sources - header - footer @@ -15,31 +15,30 @@ sections: - providers - requirements - resources - + output: file: README.md - # mode: replace mode: inject template: |- {{ .Content }} -## output-values: -## enabled: false -## from: "" -## -## sort: -## enabled: true -## by: name -## -## settings: -## anchor: true -## color: true -## default: true -## description: false -## escape: true -## indent: 2 -## required: true -## sensitive: true -## type: true +output-values: + enabled: false + from: "" + +sort: + enabled: true + by: name + +settings: + anchor: true + color: true + default: true + description: true + escape: true + indent: 2 + required: true + sensitive: true + type: true diff --git a/.tflint.hcl b/.tflint.hcl index fcc2fa8..a4029d7 100644 --- a/.tflint.hcl +++ b/.tflint.hcl @@ -1,15 +1,15 @@ config { - module = true - force = false + module = true + force = false disabled_by_default = false -# ignore_module = { -# "terraform-aws-modules/vpc/aws" = true -# "terraform-aws-modules/security-group/aws" = true -# } + # ignore_module = { + # "terraform-aws-modules/vpc/aws" = true + # "terraform-aws-modules/security-group/aws" = true + # } -# varfile = ["example1.tfvars", "example2.tfvars"] -# variables = ["foo=bar", "bar=[\"baz\"]"] + # varfile = ["example1.tfvars", "example2.tfvars"] + # variables = ["foo=bar", "bar=[\"baz\"]"] } rule "aws_instance_invalid_type" { diff --git a/README.md b/README.md index 4a9a60b..4acdc5f 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ kube-proxy - update upstream cluster module to 20.20.0 - created changelog - + ## Requirements | Name | Version | @@ -43,12 +43,12 @@ kube-proxy | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.14.0 | -| [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | >= 5.14.0 | -| [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | >= 5.14.0 | -| [aws.self](#provider\_aws.self) | >= 5.14.0 | -| [kubernetes](#provider\_kubernetes) | n/a | -| [null](#provider\_null) | >= 3.2.1 | +| [aws](#provider\_aws) | 5.60.0 | +| [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | 5.60.0 | +| [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | 5.60.0 | +| [aws.self](#provider\_aws.self) | 5.60.0 | +| [kubernetes](#provider\_kubernetes) | 2.31.0 | +| [null](#provider\_null) | 3.2.2 | ## Modules From 93fd3fca7e31e1b997b9782d216b2a2966896c05 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 31 Jul 2024 19:06:25 -0400 Subject: [PATCH 04/35] more --- .pre-commit-config.yaml | 31 ++++++-------------------- .releaserc.json | 36 +++++++++++++++++++++++++++++++ cluster_admin_group.tf.disable | 1 - cluster_admin_policies.tf.disable | 1 - cluster_admin_roles.tf.disable | 1 - dns_zones.tf | 4 ++-- examples/testing/variables.tf | 2 +- main.tf | 2 +- node_ports.tf.disable | 2 +- security_groups.tf | 1 - sg_ports.tf | 2 +- 11 files changed, 49 insertions(+), 34 deletions(-) create mode 100644 .releaserc.json diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6944a0a..7edd3aa 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -28,30 +28,6 @@ repos: args: ['--allow-missing-credentials'] - id: detect-private-key - -- repo: https://github.com/jumanjihouse/pre-commit-hooks - rev: 3.0.0 - hooks: - - id: shfmt - args: ['-l', '-i', '2', '-ci', '-sr', '-w'] - - id: shellcheck - -# Dockerfile linter -- repo: https://github.com/hadolint/hadolint - rev: v2.12.1-beta - hooks: - - id: hadolint - args: [ - '--ignore', 'DL3007', # Using latest - '--ignore', 'DL3013', # Pin versions in pip - '--ignore', 'DL3027', # Do not use apt - '--ignore', 'DL3059', # Docker `RUN`s shouldn't be consolidated here - '--ignore', 'DL4006', # Not related to alpine - '--ignore', 'SC1091', # Useless check - '--ignore', 'SC2015', # Useless check - '--ignore', 'SC3037', # Not related to alpine - ] - # JSON5 Linter - repo: https://github.com/pre-commit/mirrors-prettier rev: v3.1.0 @@ -59,3 +35,10 @@ repos: - id: prettier # https://prettier.io/docs/en/options.html#parser files: '.json5$' + +# Terraform Hooks +- repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.92.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + hooks: + - id: terraform_fmt + - id: terraform_docs diff --git a/.releaserc.json b/.releaserc.json new file mode 100644 index 0000000..6e39031 --- /dev/null +++ b/.releaserc.json @@ -0,0 +1,36 @@ +{ + "branches": [ + "main", + "master" + ], + "ci": false, + "plugins": [ + "@semantic-release/commit-analyzer", + "@semantic-release/release-notes-generator", + [ + "@semantic-release/github", + { + "successComment": + "This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:", + "labels": false, + "releasedLabels": false + } + ], + [ + "@semantic-release/changelog", + { + "changelogFile": "CHANGELOG.md", + "changelogTitle": "# Changelog\n\nAll notable changes to this project will be documented in this file." + } + ], + [ + "@semantic-release/git", + { + "assets": [ + "CHANGELOG.md" + ], + "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" + } + ] + ] +} diff --git a/cluster_admin_group.tf.disable b/cluster_admin_group.tf.disable index 5ee158f..1312c25 100644 --- a/cluster_admin_group.tf.disable +++ b/cluster_admin_group.tf.disable @@ -9,4 +9,3 @@ module "group_cluster-admin" { var.tags, ) } - diff --git a/cluster_admin_policies.tf.disable b/cluster_admin_policies.tf.disable index ea3f658..9040354 100644 --- a/cluster_admin_policies.tf.disable +++ b/cluster_admin_policies.tf.disable @@ -126,4 +126,3 @@ data "aws_iam_policy_document" "cluster-admin_assume_policy" { resources = [module.role_cluster-admin.role_arn] } } - diff --git a/cluster_admin_roles.tf.disable b/cluster_admin_roles.tf.disable index 0c2a97c..4cdcf8e 100644 --- a/cluster_admin_roles.tf.disable +++ b/cluster_admin_roles.tf.disable @@ -23,4 +23,3 @@ output "role_cluster-admin-role_arn" { description = "Role ARN for EKS Cluster Admin Role" value = module.role_cluster-admin.role_arn } - diff --git a/dns_zones.tf b/dns_zones.tf index c54d080..34f087a 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -1,5 +1,5 @@ #------------------------------------------------- -# DNS Zone for EKS +# DNS Zone for EKS #------------------------------------------------- locals { cluster_domain_name = format("%v.%v", var.cluster_name, var.vpc_domain_name) @@ -9,7 +9,7 @@ locals { zone_ids = compact(var.zone_ids) } #------------------------------------------------- -# Providers for Cross Account DNS Action +# Providers for Cross Account DNS Action #------------------------------------------------- provider "aws" { alias = "route53_main_east" diff --git a/examples/testing/variables.tf b/examples/testing/variables.tf index 6369824..2e107e9 100644 --- a/examples/testing/variables.tf +++ b/examples/testing/variables.tf @@ -78,4 +78,4 @@ variable "tags" { description = "AWS Tags to apply to appropriate resources" type = map(string) default = {} -} \ No newline at end of file +} diff --git a/main.tf b/main.tf index 3a03cd2..7e80e18 100644 --- a/main.tf +++ b/main.tf @@ -53,7 +53,7 @@ locals { # This is done especially since access entries are fairly course grained, especially given the granularity we can achieve via EKS native # RBAC constructs in Roles and ClusterRoles and bindings. # This below is just an example, in practice we'd notionally be creating a role (or multiple) specific to the cluster and setting policy - # to allow the cluster users to assume said role; but we need to spend some time parsing what exactly are the permissions we plan to hand + # to allow the cluster users to assume said role; but we need to spend some time parsing what exactly are the permissions we plan to hand # out to these clusters. access_entries = { inf-admin-t2 = { diff --git a/node_ports.tf.disable b/node_ports.tf.disable index 403a3d6..1c2c550 100644 --- a/node_ports.tf.disable +++ b/node_ports.tf.disable @@ -42,4 +42,4 @@ locals { # type = "ingress" # self = true # } -# } \ No newline at end of file +# } diff --git a/security_groups.tf b/security_groups.tf index 2a46467..0dc3ded 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -69,4 +69,3 @@ resource "aws_security_group" "additional_eks_cluster_sg" { cidr_blocks = ["0.0.0.0/0"] } } - diff --git a/sg_ports.tf b/sg_ports.tf index b93db24..22ccfeb 100644 --- a/sg_ports.tf +++ b/sg_ports.tf @@ -54,4 +54,4 @@ locals { # ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null } } -} \ No newline at end of file +} From 3e42428d88877b3f6c602ea453d476569f79214c Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 31 Jul 2024 19:09:32 -0400 Subject: [PATCH 05/35] remove disabled --- cluster_admin_group.tf.disable | 11 --- cluster_admin_policies.tf.disable | 128 ------------------------------ cluster_admin_roles.tf.disable | 25 ------ istio_ports.tf.disable | 84 -------------------- node_ports.tf.disable | 45 ----------- 5 files changed, 293 deletions(-) delete mode 100644 cluster_admin_group.tf.disable delete mode 100644 cluster_admin_policies.tf.disable delete mode 100644 cluster_admin_roles.tf.disable delete mode 100644 istio_ports.tf.disable delete mode 100644 node_ports.tf.disable diff --git a/cluster_admin_group.tf.disable b/cluster_admin_group.tf.disable deleted file mode 100644 index 1312c25..0000000 --- a/cluster_admin_group.tf.disable +++ /dev/null @@ -1,11 +0,0 @@ -module "group_cluster-admin" { - source = "git@github.e.it.census.gov:terraform-modules/aws-iam-group.git" - - group_name = format("%v%v-cluster-admin", local._prefixes["eks"], var.cluster_name) - attached_policies = [aws_iam_policy.cluster-admin-policy.arn, aws_iam_policy.cluster-admin_assume_policy.arn] - - tags = merge( - local.base_tags, - var.tags, - ) -} diff --git a/cluster_admin_policies.tf.disable b/cluster_admin_policies.tf.disable deleted file mode 100644 index 9040354..0000000 --- a/cluster_admin_policies.tf.disable +++ /dev/null @@ -1,128 +0,0 @@ -#--- -# cluster admin policy -#--- -locals { - eks_resources = ["cluster", "addon", "nodegroup", "identityproviderconfig"] - - admin_policy_statements = { - ECRRead = { - actions = [ - "ecr:Describe*", - "ecr:Get*", - "ecr:ListImages", - "ecr:BatchGetImage", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - ] - resources = ["*"] - } - ECRWrite = { - actions = [ - "ecr:BatchDeleteImage", - "ecr:CompleteLayerUpload", - "ecr:CreateRepository", - "ecr:DeleteRepository", - "ecr:InitiateLayerUpload", - "ecr:PutImage", - "ecr:UploadLayerPart" - ] - resources = [format(local.common_arn, "ecr", format("repository/eks/%v/* ", var.cluster_name))] - } - EKSRead = { - actions = [ - "eks:ListClusters", - "eks:ListAddons", - "eks:ListNodegroups", - "eks:DescribeCluster", - "eks:DescribeAddon*", - "eks:DescribeNodegroup", - ] - resources = [ - format(local.common_arn, "eks", "cluster/*"), - format(local.common_arn, "eks", "addon/*"), - format(local.common_arn, "eks", "addons/*"), - format(local.common_arn, "eks", "/addons/*"), - format(local.common_arn, "eks", "nodegroup/*"), - ] - } - IAMRead = { - actions = [ - "iam:ListRoles", - ] - resources = ["*"] - } - SSMGet = { - actions = [ - "ssm:GetParameter", - ] - resources = [ - format("arn:%v:%v:%v:%v:%v", data.aws_arn.current.partition, "ssm", data.aws_region.current.name, "", "parameter/aws/service/eks/*") - ] - } - EKSReadMyClusters = { - actions = [ - "eks:List*", - "eks:Read*", - "eks:Describe*", - "eks:AccessKubernetesApi", - ] - resources = flatten(concat( - tolist([format(local.common_arn, "eks", format("/clusters/%v/addons", var.cluster_name))]), - [for r in local.eks_resources : tolist([ - format(local.common_arn, "eks", format("%v/%v", r, var.cluster_name)), - format(local.common_arn, "eks", format("%v/%v/*", r, var.cluster_name)) - ])])) - } - } -} - -data "aws_iam_policy_document" "cluster-admin-policy" { - dynamic "statement" { - for_each = local.admin_policy_statements - iterator = s - content { - sid = format("%v%vAccess", lookup(s.value, "effect", "Allow"), s.key) - effect = lookup(s.value, "effect", "Allow") - actions = lookup(s.value, "actions", []) - resources = lookup(s.value, "resources", []) - } - } -} - -resource "aws_iam_policy" "cluster-admin-policy" { - name = format("%v%v-cluster-admin", local._prefixes["eks-policy"], var.cluster_name) - path = "/" - description = "Allow for administration of the cluster ${var.cluster_name} using AWS resources" - policy = data.aws_iam_policy_document.cluster-admin-policy.json - - tags = merge( - local.base_tags, - var.tags, - ) -} - -#--- -# cluster admin assume policy -#--- -resource "aws_iam_policy" "cluster-admin_assume_policy" { - name = format("%v%v-cluster-admin-assume", local._prefixes["eks-policy"], var.cluster_name) - path = "/" - description = "Allow for assume role to the cluster-admin role for ${var.cluster_name}" - policy = data.aws_iam_policy_document.cluster-admin_assume_policy.json - - tags = merge( - local.base_tags, - var.tags, - var.application_tags, - tomap({ "Name" = format("%v%v-cluster-admin-assume", local._prefixes["eks-policy"], var.cluster_name) }), - ) -} - -data "aws_iam_policy_document" "cluster-admin_assume_policy" { - statement { - sid = "AllowSTSAssumeClusterAdminRole" - effect = "Allow" - actions = ["sts:AssumeRole"] - resources = [module.role_cluster-admin.role_arn] - } -} diff --git a/cluster_admin_roles.tf.disable b/cluster_admin_roles.tf.disable deleted file mode 100644 index 4cdcf8e..0000000 --- a/cluster_admin_roles.tf.disable +++ /dev/null @@ -1,25 +0,0 @@ -#--- -# cluster-admin -#--- -module "role_cluster-admin" { - source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" - - role_name = format("%v%v-cluster-admin", local._prefixes["eks"], var.cluster_name) - role_description = "SAML EKS cluster admin Role for ${var.cluster_name}" - enable_ldap_creation = false - assume_policy_document = data.aws_iam_policy_document.allow_sts.json - # assume_policy_document = data.aws_iam_policy_document.cluster-admin_combined.json - attached_policies = [aws_iam_policy.cluster-admin-policy.arn] - - tags = merge( - local.base_tags, - local.common_tags, - var.tags, - var.application_tags, - ) -} - -output "role_cluster-admin-role_arn" { - description = "Role ARN for EKS Cluster Admin Role" - value = module.role_cluster-admin.role_arn -} diff --git a/istio_ports.tf.disable b/istio_ports.tf.disable deleted file mode 100644 index 7351588..0000000 --- a/istio_ports.tf.disable +++ /dev/null @@ -1,84 +0,0 @@ -locals { - istio_ports = [ - { - description = "Envoy admin port / outbound" - from_port = 15000 - to_port = 15001 - }, - { - description = "Debug port" - from_port = 15004 - to_port = 15004 - }, - { - description = "Envoy inbound" - from_port = 15006 - to_port = 15006 - }, - { - description = "HBONE mTLS tunnel port / secure networks XDS and CA services (Plaintext)" - from_port = 15008 - to_port = 15010 - }, - { - description = "XDS and CA services (TLS and mTLS)" - from_port = 15012 - to_port = 15012 - }, - { - description = "Control plane monitoring" - from_port = 15014 - to_port = 15014 - }, - { - description = "Control plane monitoring" - from_port = 15017 - to_port = 15017 - }, - { - description = "Merged Prometheus telemetry data from Istio agent, Envoy, and application, Health checks" - from_port = 15020 - to_port = 15021 - }, - { - description = "DNS port" - from_port = 15053 - to_port = 15053 - }, - { - description = "Envoy Prometheus telemetry" - from_port = 15090 - to_port = 15090 - }, - { - description = "aws-load-balancer-controller" - from_port = 9443 - to_port = 9443 - }, - ] - - ingress_rules = { - for ikey, ivalue in local.istio_ports : - "${ikey}_ingress" => { - description = ivalue.description - protocol = "tcp" - from_port = ivalue.from_port - to_port = ivalue.to_port - type = "ingress" - self = true - } - } - - egress_rules = { - for ekey, evalue in local.istio_ports : - "${ekey}_egress" => { - description = evalue.description - protocol = "tcp" - from_port = evalue.from_port - to_port = evalue.to_port - type = "egress" - self = true - } - } - -} diff --git a/node_ports.tf.disable b/node_ports.tf.disable deleted file mode 100644 index 1c2c550..0000000 --- a/node_ports.tf.disable +++ /dev/null @@ -1,45 +0,0 @@ -locals { - ingress_rules { - ingress_nodes_ephemeral = { - "description" = "Node to node ingress on ephemeral ports" - "protocol" = -1 - "from_port" = 0 - "to_port" = 0 - "type" = "ingress" - "self" = true - } - } -# ingress_nodes_ephemeral = { -# "description": "Node to node ingress on ephemeral ports custom", -# "protocol": -1, -# "from_port": 0, -# "to_port": 0, -# "type": "ingress", -# "self": true -# } -} - - - # { - # "cidr_blocks": [], - # "description": "Envoy inbound", - # "from_port": 15006, - # "ipv6_cidr_blocks": [], - # "prefix_list_ids": [], - # "protocol": "tcp", - # "security_groups": [], - # "self": true, - # "to_port": 15006 - # }, - -# ingress_rules = { -# for ikey, ivalue in local.istio_ports : -# "${ikey}_ingress" => { -# description = ivalue.description -# protocol = "tcp" -# from_port = ivalue.from_port -# to_port = ivalue.to_port -# type = "ingress" -# self = true -# } -# } From f2b794346be0092ebef2f385929197d520e4b622 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 31 Jul 2024 22:49:00 -0400 Subject: [PATCH 06/35] lints --- .gitignore | 2 + .pre-commit-config.yaml | 52 ++++++++++++++++++++- .tflint.hcl | 8 ++++ README.md | 22 +++------ aws_data.tf | 31 ------------ dns_zones.tf | 52 +++++++++++++-------- examples/simple/eks.tf | 3 +- examples/simple/providers.tf | 8 ++++ examples/testing/eks.tf | 1 - examples/testing/providers.tf | 7 +++ irsa_roles.tf | 21 ++------- main.tf | 6 +-- outputs.tf | 7 +-- prefixes.tf | 2 +- requirements.tf | 18 ++----- security_groups.tf | 4 +- sg_ports.tf | 34 +++++++------- terragrunt.hcl | 88 +++++++++++++++++++++++++++++++++++ variables.tf | 32 ------------- version.tf | 4 +- 20 files changed, 238 insertions(+), 164 deletions(-) create mode 100644 .gitignore create mode 100644 terragrunt.hcl diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..cc5778c --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.terraform/ +.terraform.lock.hcl diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7edd3aa..3fc319d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -30,7 +30,7 @@ repos: # JSON5 Linter - repo: https://github.com/pre-commit/mirrors-prettier - rev: v3.1.0 + rev: v4.0.0-alpha.8 hooks: - id: prettier # https://prettier.io/docs/en/options.html#parser @@ -41,4 +41,54 @@ repos: rev: v1.92.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases hooks: - id: terraform_fmt + args: + - --hook-config=--parallelism-ci-cpu-cores=2 - id: terraform_docs + args: + - --hook-config=--parallelism-ci-cpu-cores=2 + - id: terraform_tflint + name: Terraform validate with tflint + description: Validates all Terraform configuration files with TFLint. + require_serial: true + entry: hooks/terraform_tflint.sh + language: script + files: (\.tf|\.tfvars)$ + exclude: \.(terraform/.*|terragrunt-cache)$ + args: + - --hook-config=--parallelism-ci-cpu-cores=2 + - id: terragrunt_fmt + name: Terragrunt fmt + description: Rewrites all Terragrunt configuration files to a canonical format. + entry: hooks/terragrunt_fmt.sh + language: script + files: (\.hcl)$ + exclude: \.(terraform/.*|terragrunt-cache)$ + args: + - --hook-config=--parallelism-ci-cpu-cores=2 + - id: terragrunt_validate + name: Terragrunt validate + description: Validates all Terragrunt configuration files. + entry: hooks/terragrunt_validate.sh + language: script + files: (\.hcl)$ + exclude: \.(terraform/.*|terragrunt-cache)$ + args: + - --hook-config=--parallelism-ci-cpu-cores=2 + - id: terragrunt_validate_inputs + name: Terragrunt validate inputs + description: Validates Terragrunt unused and undefined inputs. + entry: hooks/terragrunt_validate_inputs.sh + language: script + files: (\.hcl)$ + exclude: \.(terraform/.*|terragrunt-cache)$ + args: + - --hook-config=--parallelism-ci-cpu-cores=2 + - id: terragrunt_providers_lock + name: Terragrunt providers lock + description: Updates provider signatures in dependency lock files using terragrunt. + entry: hooks/terragrunt_providers_lock.sh + language: script + files: (terragrunt|\.terraform\.lock)\.hcl$ + exclude: \.(terraform/.*|terragrunt-cache)$ + args: + - --hook-config=--parallelism-ci-cpu-cores=2 diff --git a/.tflint.hcl b/.tflint.hcl index a4029d7..30b0d2c 100644 --- a/.tflint.hcl +++ b/.tflint.hcl @@ -18,4 +18,12 @@ rule "aws_instance_invalid_type" { plugin "aws" { enabled = true + version = "0.32.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" +} + +plugin "terraform" { + enabled = true + version = "0.9.0" + source = "github.com/terraform-linters/tflint-ruleset-terraform" } diff --git a/README.md b/README.md index 4acdc5f..14d8883 100644 --- a/README.md +++ b/README.md @@ -33,11 +33,8 @@ kube-proxy |------|---------| | [terraform](#requirement\_terraform) | >= 0.13 | | [aws](#requirement\_aws) | >= 5.14.0 | -| [cloudinit](#requirement\_cloudinit) | >= 2.3.2 | -| [http](#requirement\_http) | >= 3.4.0 | +| [kubernetes](#requirement\_kubernetes) | >= 2.31.0 | | [null](#requirement\_null) | >= 3.2.1 | -| [time](#requirement\_time) | >= 0.9.1 | -| [tls](#requirement\_tls) | >= 4.0.4 | ## Providers @@ -55,7 +52,6 @@ kube-proxy | Name | Source | Version | |------|--------|---------| | [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.20.0 | -| [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | @@ -64,8 +60,8 @@ kube-proxy | Name | Type | |------|------| -| [aws_ec2_tag.container-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource | -| [aws_ec2_tag.lb-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource | +| [aws_ec2_tag.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource | +| [aws_ec2_tag.lb_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource | | [aws_route53_vpc_association_authorization.self_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource | | [aws_route53_vpc_association_authorization.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource | | [aws_route53_zone.cluster_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource | @@ -82,10 +78,9 @@ kube-proxy | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_route53_zone.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | -| [aws_subnets.container-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | -| [aws_subnets.lb-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | +| [aws_subnets.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | +| [aws_subnets.lb_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | | [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | | [aws_vpc.dummy_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | | [aws_vpc.eks_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | @@ -94,9 +89,6 @@ kube-proxy | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no | -| [account\_id](#input\_account\_id) | AWS account id | `string` | `""` | no | -| [aws\_environment](#input\_aws\_environment) | AWS Environment (govcloud \| east-west) | `string` | `""` | no | | [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | 
[
  "148.129.0.0/16",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | This allows to access the cluster from IEB cloud host | `bool` | `false` | no | | [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes | @@ -108,8 +100,6 @@ kube-proxy | [eks\_ng\_min\_size](#input\_eks\_ng\_min\_size) | Node Group minimum size | `number` | `4` | no | | [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry | `bool` | `false` | no | | [lb\_subnets\_name](#input\_lb\_subnets\_name) | Define the name of the subnets to be used by this cluster | `string` | `"*-private-lb-*"` | no | -| [main\_dns\_profile](#input\_main\_dns\_profile) | Profile name for AWS for the main DNS central account | `string` | `"269244441389-lab-gov-network-nonprod"` | no | -| [main\_dns\_vpcs](#input\_main\_dns\_vpcs) | Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS | `map(string)` | 
{
  "us-gov-east-1": "vpc-070595c5b133243dd",
  "us-gov-west-1": "vpc-08b7b4db6a5ddf9c1"
}
| no | | [operators\_ns](#input\_operators\_ns) | Namespace to create where operators will be installed. | `string` | `"operators"` | no | | [os\_username](#input\_os\_username) | OS username from environment variable, ideally as $USER | `string` | `null` | no | | [profile](#input\_profile) | AWS config profile | `string` | `""` | no | @@ -157,7 +147,7 @@ kube-proxy | [kms\_key\_policy](#output\_kms\_key\_policy) | The IAM resource policy set on the key | | [module\_name](#output\_module\_name) | The name of this module. | | [module\_version](#output\_module\_version) | The version of this module. | -| [node\_group\_name](#output\_node\_group\_name) | ############################################################################### Additional ############################################################################### output "cluster\_autoscaler\_role\_name" { value = module.cluster\_autoscaler\_irsa\_role.iam\_role\_name } | +| [node\_group\_name](#output\_node\_group\_name) | name of the node group created for use by karpenter | | [node\_security\_group\_arn](#output\_node\_security\_group\_arn) | Amazon Resource Name (ARN) of the node shared security group | | [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group | | [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) | diff --git a/aws_data.tf b/aws_data.tf index 7dead47..fb1697a 100644 --- a/aws_data.tf +++ b/aws_data.tf @@ -5,34 +5,3 @@ data "aws_region" "current" {} data "aws_arn" "current" { arn = data.aws_caller_identity.current.arn } -data "aws_subnets" "container-subnets" { - filter { - name = "tag:Name" - values = [local.container_subnets_name] - } - filter { - name = "vpc-id" - values = [data.aws_vpc.eks_vpc.id] - } -} -data "aws_subnets" "lb-subnets" { - filter { - name = "tag:Name" - values = [local.lb_subnets_name] - } - filter { - name = "vpc-id" - values = [data.aws_vpc.eks_vpc.id] - } -} -locals { - container_subnets_name = var.subnets_name - lb_subnets_name = var.lb_subnets_name - base_arn = format("arn:%v:%%v:%v:%v:%%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id) - iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) - common_arn = format("arn:%v:%%v:%v:%v:%%v", - data.aws_arn.current.partition, - data.aws_region.current.name, - data.aws_caller_identity.current.account_id) - -} diff --git a/dns_zones.tf b/dns_zones.tf index 34f087a..195e03a 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -1,11 +1,35 @@ #------------------------------------------------- # DNS Zone for EKS #------------------------------------------------- + +#------------------------------------------------- +# Locals +#------------------------------------------------- +data "aws_subnets" "container_subnets" { + filter { + name = "tag:Name" + values = [local.container_subnets_name] + } + filter { + name = "vpc-id" + values = [data.aws_vpc.eks_vpc.id] + } +} +data "aws_subnets" "lb_subnets" { + filter { + name = "tag:Name" + values = [local.lb_subnets_name] + } + filter { + name = "vpc-id" + values = [data.aws_vpc.eks_vpc.id] + } +} locals { + container_subnets_name = var.subnets_name + lb_subnets_name = var.lb_subnets_name cluster_domain_name = format("%v.%v", var.cluster_name, var.vpc_domain_name) cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name) - account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" - region_short = join("", [for c in split("-", var.region) : substr(c, 0, 1)]) zone_ids = compact(var.zone_ids) } #------------------------------------------------- @@ -31,6 +55,7 @@ provider "aws" { provider "aws" { alias = "self" + # Commented as in testing we are assuming this role already # assume_role { # role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) # session_name = var.os_username @@ -77,16 +102,6 @@ resource "aws_route53_zone_association" "self_zone_east" { depends_on = [aws_route53_vpc_association_authorization.self_zone] } -#--- -# zone list -#--- -data "aws_route53_zone" "zones" { - provider = aws.self - for_each = toset(local.zone_ids) - zone_id = each.key - private_zone = true -} - resource "aws_route53_zone" "cluster_domain" { name = local.cluster_domain_name comment = local.cluster_domain_description @@ -121,10 +136,6 @@ data "aws_vpc" "dummy_vpc" { name = "tag:Name" values = ["vpc0-dummy"] } - # filter { - # name = "tag:eks-cluster-name" - # values = [var.cluster_name] - # } } resource "aws_vpc" "vpc" { @@ -136,18 +147,19 @@ resource "aws_vpc" "vpc" { { "Name" = "vpc0-dummy" }, ) } + # Tag existing subnets for EKS # Container subnets under data.aws_subnets.container-subnets # Load Balance subnets under data.aws_subnets.lb-subnets -resource "aws_ec2_tag" "container-subnets" { - for_each = toset(data.aws_subnets.container-subnets.ids) +resource "aws_ec2_tag" "container_subnets" { + for_each = toset(data.aws_subnets.container_subnets.ids) resource_id = each.value key = "kubernetes.io/cluster/${var.cluster_name}" value = "shared" } -resource "aws_ec2_tag" "lb-subnets" { - for_each = toset(data.aws_subnets.lb-subnets.ids) +resource "aws_ec2_tag" "lb_subnets" { + for_each = toset(data.aws_subnets.lb_subnets.ids) resource_id = each.value key = "kubernetes.io/role/internal-nlb" value = "1" diff --git a/examples/simple/eks.tf b/examples/simple/eks.tf index 5a851d1..48b55c5 100644 --- a/examples/simple/eks.tf +++ b/examples/simple/eks.tf @@ -1,6 +1,5 @@ module "eks" { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git//" - #source = "git@github.it.census.gov:SOA/tfmod-eks.git//?ref=v1.0.0" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=1.0.1" vpc_name = var.vpc_name diff --git a/examples/simple/providers.tf b/examples/simple/providers.tf index ce03e7a..c4b7c92 100644 --- a/examples/simple/providers.tf +++ b/examples/simple/providers.tf @@ -1,7 +1,15 @@ terraform { required_version = ">= 1.5.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.14.0" + } + } } + provider "aws" { profile = var.profile region = var.region diff --git a/examples/testing/eks.tf b/examples/testing/eks.tf index 5c958ce..f5c3f2f 100644 --- a/examples/testing/eks.tf +++ b/examples/testing/eks.tf @@ -1,5 +1,4 @@ module "eks" { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git//" source = "../.." vpc_name = var.vpc_name diff --git a/examples/testing/providers.tf b/examples/testing/providers.tf index ce03e7a..d88db95 100644 --- a/examples/testing/providers.tf +++ b/examples/testing/providers.tf @@ -1,5 +1,12 @@ terraform { required_version = ">= 1.5.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.14.0" + } + } } provider "aws" { diff --git a/irsa_roles.tf b/irsa_roles.tf index db5a487..52754d7 100644 --- a/irsa_roles.tf +++ b/irsa_roles.tf @@ -1,3 +1,4 @@ +# tflint-ignore: terraform_module_version module "vpc_cni_irsa_role" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" @@ -15,6 +16,7 @@ module "vpc_cni_irsa_role" { tags = local.tags } +# tflint-ignore: terraform_module_version module "ebs_csi_irsa_role" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" @@ -30,6 +32,7 @@ module "ebs_csi_irsa_role" { tags = local.tags } +# tflint-ignore: terraform_module_version module "efs_csi_irsa_role" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" @@ -44,21 +47,3 @@ module "efs_csi_irsa_role" { } tags = local.tags } - -module "cluster_autoscaler_irsa_role" { - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - - role_name = "${var.cluster_name}-cluster-autoscaler" - - attach_cluster_autoscaler_policy = true - - cluster_autoscaler_cluster_names = [module.cluster.cluster_name] - - oidc_providers = { - main = { - provider_arn = module.cluster.oidc_provider_arn - namespace_service_accounts = ["kube-system:cluster-autoscaler"] - } - } - tags = local.tags -} diff --git a/main.tf b/main.tf index 7e80e18..fead34b 100644 --- a/main.tf +++ b/main.tf @@ -34,7 +34,8 @@ locals { base_tags = { "eks-cluster-name" = var.cluster_name - "boc:tf_module_version" = local._module_version + "boc:tf_module_name" = local.module_name + "boc:tf_module_version" = local.module_version "boc:created_by" = "terraform" CostAllocation = var.tag_costallocation } @@ -44,7 +45,7 @@ locals { # 'nlb-policy' = aws_iam_policy.nlb-policy.arn } - ng_name = format("%v%v-nodegroup", local._prefixes["eks"], var.cluster_name) + ng_name = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name) tags = merge(local.base_tags, var.tags) @@ -73,7 +74,6 @@ locals { module "cluster" { source = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.20.0" - #version = "19.16.0" cluster_name = var.cluster_name cluster_version = var.cluster_version diff --git a/outputs.tf b/outputs.tf index 5db8b1a..15bc115 100644 --- a/outputs.tf +++ b/outputs.tf @@ -8,12 +8,12 @@ output "module_name" { description = "The name of this module." - value = local._module_name + value = local.module_name } output "module_version" { description = "The version of this module." - value = local._module_version + value = local.module_version } ################################################################################ @@ -281,5 +281,6 @@ output "self_managed_node_groups_autoscaling_group_names" { # value = module.cluster_autoscaler_irsa_role.iam_role_name # } output "node_group_name" { - value = local.ng_name + description = "name of the node group created for use by karpenter" + value = local.ng_name } diff --git a/prefixes.tf b/prefixes.tf index 03303f1..f677e0a 100644 --- a/prefixes.tf +++ b/prefixes.tf @@ -1,5 +1,5 @@ locals { - _prefixes = { + prefixes = { "efs" = "v-efs-" "s3" = "v-s3-" "ebs" = "v-ebs-" diff --git a/requirements.tf b/requirements.tf index 1bc9dda..958be0a 100644 --- a/requirements.tf +++ b/requirements.tf @@ -6,25 +6,13 @@ terraform { source = "hashicorp/aws" version = ">= 5.14.0" } - cloudinit = { - source = "hashicorp/cloudinit" - version = ">= 2.3.2" - } - http = { - source = "hashicorp/http" - version = ">= 3.4.0" + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.31.0" } null = { source = "hashicorp/null" version = ">= 3.2.1" } - time = { - source = "hashicorp/time" - version = ">= 0.9.1" - } - tls = { - source = "hashicorp/tls" - version = ">= 4.0.4" - } } } diff --git a/security_groups.tf b/security_groups.tf index 0dc3ded..6683944 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -1,7 +1,7 @@ locals { - all_worker_mgmt_name = format("%v%v-all-worker-mgmt", local._prefixes["eks-security-group"], var.cluster_name) - additional_eks_cluster_sg_name = format("%v%v-cluster", local._prefixes["eks-security-group"], var.cluster_name) + all_worker_mgmt_name = format("%v%v-all-worker-mgmt", local.prefixes["eks-security-group"], var.cluster_name) + additional_eks_cluster_sg_name = format("%v%v-cluster", local.prefixes["eks-security-group"], var.cluster_name) } resource "aws_security_group" "all_worker_mgmt" { diff --git a/sg_ports.tf b/sg_ports.tf index 22ccfeb..8f9201c 100644 --- a/sg_ports.tf +++ b/sg_ports.tf @@ -1,56 +1,56 @@ locals { node_security_group_additional_rules = { - "ingress_nodes_ephemeral" = { - "description" = "Node to node ingress on ephemeral ports" - "from_port" = 80 - "protocol" = "tcp" - "self" = true - "to_port" = 65535 - "type" = "ingress" + ingress_nodes_ephemeral = { + description = "Node to node ingress on ephemeral ports" + from_port = 80 + protocol = "tcp" + self = true + to_port = 65535 + type = "ingress" } # metrics-server ingress_cluster_4443_webhook = { description = "Cluster API to node 4443/tcp webhook" - protocol = "tcp" from_port = 4443 + protocol = "tcp" + source_cluster_security_group = true to_port = 4443 type = "ingress" - source_cluster_security_group = true } # prometheus-adapter ingress_cluster_6443_webhook = { description = "Cluster API to node 6443/tcp webhook" - protocol = "tcp" from_port = 6443 + protocol = "tcp" + source_cluster_security_group = true to_port = 6443 type = "ingress" - source_cluster_security_group = true } # Karpenter ingress_cluster_8443_webhook = { description = "Cluster API to node 8443/tcp webhook" - protocol = "tcp" from_port = 8443 + protocol = "tcp" + source_cluster_security_group = true to_port = 8443 type = "ingress" - source_cluster_security_group = true } # ALB controller, NGINX ingress_cluster_9443_webhook = { description = "Cluster API to node 9443/tcp webhook" - protocol = "tcp" from_port = 9443 + protocol = "tcp" + source_cluster_security_group = true to_port = 9443 type = "ingress" - source_cluster_security_group = true } egress_all = { + cidr_blocks = ["0.0.0.0/0"] description = "Allow all egress" - protocol = "-1" from_port = 0 + protocol = "-1" to_port = 0 type = "egress" - cidr_blocks = ["0.0.0.0/0"] # ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null } } diff --git a/terragrunt.hcl b/terragrunt.hcl new file mode 100644 index 0000000..676bf73 --- /dev/null +++ b/terragrunt.hcl @@ -0,0 +1,88 @@ +# include "root" { +# path = find_in_parent_folders() +# expose = true +# } + +locals { + # account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl")) + # region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + # In which AWS region are operations being performed + # account_id = local.account_vars.locals.aws_account_id + account_id = 123456789012 + # region = local.region_vars.locals.aws_region + region = "us-gov-east-1" + vpc_name = "vpc3-lab-dev" + cluster_name = "example-cluster" + cluster_version = "1.30" + vpc_domain_name = "dev.lab.csp2.census.gov" + eks_instance_disk_size = 100 + eks_vpc_name = "vpc3-lab-dev" + eks_ng_desired_size = 1 + eks_ng_max_size = 10 + eks_ng_min_size = 1 + operators_ns = "operators" + enable_cluster_creator_admin_permissions = true + cluster_endpoint_public_access = true + profile = "224384469011-lab-dev-gov" + cluster_mailing_list = "csvd@census.gov" + + # Tags applied to AWS objects created + tags = { + "Environment" = "dev" + "slim:schedule" = "8:00-17:00" + "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" + } + + # aws_auth_roles = [ + # { + # rolearn : "arn:aws-us-gov:iam::224384469011:role/AWSReservedSSO_inf-admin-t3_b200ae7af469cdc8" + # aws_rolename : "" + # username : "admin" + # groups = ["system:masters"] + # }, + # { + # rolearn : "arn:aws-us-gov:iam::224384469011:role/r-inf-terraform" + # aws_rolename : "" + # username : "admin" + # groups = ["system:masters"] + # }, + # { + # rolearn : "arn:aws-us-gov:iam::224384469011:role/AWSReservedSSO_inf-admin-t2_f3912d726991bbfa" + # aws_rolename : "" + # username : "admin" + # groups = ["system:masters"] + # } + # ] +} + +terraform { + source = "../tfmod-eks" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20m"] + } +} + +inputs = { + # aws_account_id = local.account_id + profile = local.profile + vpc_name = local.eks_vpc_name + cluster_name = local.cluster_name + cluster_version = local.cluster_version + eks_instance_disk_size = local.eks_instance_disk_size + # eks_vpc_name = local.eks_vpc_name + # eks_instance_types = local.eks_instance_types + eks_ng_desired_size = local.eks_ng_desired_size + eks_ng_max_size = local.eks_ng_max_size + eks_ng_min_size = local.eks_ng_min_size + operators_ns = local.operators_ns + enable_cluster_creator_admin_permissions = local.enable_cluster_creator_admin_permissions + cluster_endpoint_public_access = local.cluster_endpoint_public_access + tags = local.tags + # aws_auth_roles = local.aws_auth_roles + vpc_domain_name = local.vpc_domain_name + region = local.region + # creator = local.cluster_mailing_list + os_username = local.cluster_mailing_list + shared_vpc_label = "dev" +} diff --git a/variables.tf b/variables.tf index 2481239..c23678d 100644 --- a/variables.tf +++ b/variables.tf @@ -79,12 +79,6 @@ variable "operators_ns" { default = "operators" } -variable "access_entries" { - description = "Map of access entries to add to the cluster" - type = any - default = {} -} - ################################################################### # Common variables ################################################################### @@ -113,24 +107,12 @@ variable "profile" { default = "" } -variable "account_id" { - description = "AWS account id" - type = string - default = "" -} - variable "region" { description = "AWS config region" type = string default = "" } -variable "aws_environment" { - description = "AWS Environment (govcloud | east-west)" - type = string - default = "" -} - variable "os_username" { description = "OS username from environment variable, ideally as $USER" type = string @@ -141,20 +123,6 @@ variable "os_username" { # DNS variables ################################################################### -variable "main_dns_vpcs" { - description = "Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS" - type = map(string) - default = { - "us-gov-east-1" = "vpc-070595c5b133243dd" - "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1" - } -} - -variable "main_dns_profile" { - description = "Profile name for AWS for the main DNS central account" - type = string - default = "269244441389-lab-gov-network-nonprod" -} variable "shared_vpc_label" { description = "Label to use for shared VPC for flowlogs and other things" diff --git a/version.tf b/version.tf index 96080a9..932356f 100644 --- a/version.tf +++ b/version.tf @@ -1,4 +1,4 @@ locals { - _module_name = "tfmod-eks" - _module_version = "0.0.4" + module_name = "tfmod-eks" + module_version = "0.0.4" } From 80f7e787fc473d1473b0970b9015c6f85f3723d0 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 31 Jul 2024 22:54:38 -0400 Subject: [PATCH 07/35] add terragrunt-cache to .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index cc5778c..7103c45 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .terraform/ .terraform.lock.hcl +.terragrunt-cache/ From 984f8b2a1312674927914196a0785a3de815dff6 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 31 Jul 2024 23:35:54 -0400 Subject: [PATCH 08/35] add tflint exception --- README.md | 1 + variables.tf | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/README.md b/README.md index 14d8883..f4e161d 100644 --- a/README.md +++ b/README.md @@ -89,6 +89,7 @@ kube-proxy | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no | | [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | 
[
  "148.129.0.0/16",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | This allows to access the cluster from IEB cloud host | `bool` | `false` | no | | [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes | diff --git a/variables.tf b/variables.tf index c23678d..9a4c157 100644 --- a/variables.tf +++ b/variables.tf @@ -79,6 +79,13 @@ variable "operators_ns" { default = "operators" } +# tflint-ignore: terraform_unused_declarations +variable "access_entries" { + description = "Map of access entries to add to the cluster" + type = any + default = {} +} + ################################################################### # Common variables ################################################################### From d78710f20926a870b75eb857f30ed70928d3f4fc Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 31 Jul 2024 23:39:10 -0400 Subject: [PATCH 09/35] commented for ref --- .pre-commit-hooks.yaml | 339 +++++++++++++++++++++-------------------- 1 file changed, 170 insertions(+), 169 deletions(-) diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index 520c3f0..266f0c7 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -1,169 +1,170 @@ -- id: infracost_breakdown - name: Infracost breakdown - description: Check terraform infrastructure cost - entry: hooks/infracost_breakdown.sh - language: script - require_serial: true - files: \.(tf(vars)?|hcl)$ - exclude: \.terraform/.*$ - -- id: terraform_fmt - name: Terraform fmt - description: Rewrites all Terraform configuration files to a canonical format. - entry: hooks/terraform_fmt.sh - language: script - files: (\.tf|\.tfvars)$ - exclude: \.terraform/.*$ - -- id: terraform_docs - name: Terraform docs - description: Inserts input and output documentation into README.md (using terraform-docs). - require_serial: true - entry: hooks/terraform_docs.sh - language: script - files: (\.tf|\.terraform\.lock\.hcl)$ - exclude: \.terraform/.*$ - -- id: terraform_docs_without_aggregate_type_defaults - name: Terraform docs (without aggregate type defaults) - description: Inserts input and output documentation into README.md (using terraform-docs). Identical to terraform_docs. - require_serial: true - entry: hooks/terraform_docs.sh - language: script - files: (\.tf)$ - exclude: \.terraform/.*$ - -- id: terraform_docs_replace - name: Terraform docs (overwrite README.md) - description: Overwrite content of README.md with terraform-docs. - require_serial: true - entry: terraform_docs_replace - language: python - files: (\.tf)$ - exclude: \.terraform/.*$ - -- id: terraform_validate - name: Terraform validate - description: Validates all Terraform configuration files. - require_serial: true - entry: hooks/terraform_validate.sh - language: script - files: \.(tf(vars)?|terraform\.lock\.hcl)$ - exclude: \.terraform/.*$ - -- id: terraform_providers_lock - name: Lock terraform provider versions - description: Updates provider signatures in dependency lock files. - require_serial: true - entry: hooks/terraform_providers_lock.sh - language: script - files: (\.terraform\.lock\.hcl)$ - exclude: \.terraform/.*$ - -- id: terraform_tflint - name: Terraform validate with tflint - description: Validates all Terraform configuration files with TFLint. - require_serial: true - entry: hooks/terraform_tflint.sh - language: script - files: (\.tf|\.tfvars)$ - exclude: \.terraform/.*$ - -- id: terragrunt_fmt - name: Terragrunt fmt - description: Rewrites all Terragrunt configuration files to a canonical format. - entry: hooks/terragrunt_fmt.sh - language: script - files: (\.hcl)$ - exclude: \.terraform/.*$ - -- id: terragrunt_validate - name: Terragrunt validate - description: Validates all Terragrunt configuration files. - entry: hooks/terragrunt_validate.sh - language: script - files: (\.hcl)$ - exclude: \.terraform/.*$ - -- id: terragrunt_validate_inputs - name: Terragrunt validate inputs - description: Validates Terragrunt unused and undefined inputs. - entry: hooks/terragrunt_validate_inputs.sh - language: script - files: (\.hcl)$ - exclude: \.terraform/.*$ - -- id: terragrunt_providers_lock - name: Terragrunt providers lock - description: Updates provider signatures in dependency lock files using terragrunt. - entry: hooks/terragrunt_providers_lock.sh - language: script - files: (terragrunt|\.terraform\.lock)\.hcl$ - exclude: \.(terraform/.*|terragrunt-cache)$ - -- id: terraform_tfsec - name: Terraform validate with tfsec (deprecated, use "terraform_trivy") - description: Static analysis of Terraform templates to spot potential security issues. - require_serial: true - entry: hooks/terraform_tfsec.sh - files: \.tf(vars)?$ - language: script - -- id: terraform_trivy - name: Terraform validate with trivy - description: Static analysis of Terraform templates to spot potential security issues. - require_serial: true - entry: hooks/terraform_trivy.sh - files: \.tf(vars)?$ - language: script - -- id: checkov - name: checkov (deprecated, use "terraform_checkov") - description: Runs checkov on Terraform templates. - entry: checkov -d . - language: python - pass_filenames: false - always_run: false - files: \.tf$ - exclude: \.terraform/.*$ - require_serial: true - -- id: terraform_checkov - name: Checkov - description: Runs checkov on Terraform templates. - entry: hooks/terraform_checkov.sh - language: script - always_run: false - files: \.tf$ - exclude: \.terraform/.*$ - require_serial: true - -- id: terraform_wrapper_module_for_each - name: Terraform wrapper with for_each in module - description: Generate Terraform wrappers with for_each in module. - entry: hooks/terraform_wrapper_module_for_each.sh - language: script - pass_filenames: false - always_run: false - require_serial: true - files: \.tf$ - exclude: \.terraform/.*$ - -- id: terrascan - name: terrascan - description: Runs terrascan on Terraform templates. - language: script - entry: hooks/terrascan.sh - files: \.tf$ - exclude: \.terraform/.*$ - require_serial: true - -- id: tfupdate - name: tfupdate - description: Runs tfupdate on Terraform templates. - language: script - entry: hooks/tfupdate.sh - args: - - --args=terraform - files: \.tf$ - require_serial: true +#### THESE ARE NOT ENABLED, THEY ARE FOR REFERENCE +# - id: infracost_breakdown +# name: Infracost breakdown +# description: Check terraform infrastructure cost +# entry: hooks/infracost_breakdown.sh +# language: script +# require_serial: true +# files: \.(tf(vars)?|hcl)$ +# exclude: \.terraform/.*$ + +# - id: terraform_fmt +# name: Terraform fmt +# description: Rewrites all Terraform configuration files to a canonical format. +# entry: hooks/terraform_fmt.sh +# language: script +# files: (\.tf|\.tfvars)$ +# exclude: \.terraform/.*$ + +# - id: terraform_docs +# name: Terraform docs +# description: Inserts input and output documentation into README.md (using terraform-docs). +# require_serial: true +# entry: hooks/terraform_docs.sh +# language: script +# files: (\.tf|\.terraform\.lock\.hcl)$ +# exclude: \.terraform/.*$ + +# - id: terraform_docs_without_aggregate_type_defaults +# name: Terraform docs (without aggregate type defaults) +# description: Inserts input and output documentation into README.md (using terraform-docs). Identical to terraform_docs. +# require_serial: true +# entry: hooks/terraform_docs.sh +# language: script +# files: (\.tf)$ +# exclude: \.terraform/.*$ + +# - id: terraform_docs_replace +# name: Terraform docs (overwrite README.md) +# description: Overwrite content of README.md with terraform-docs. +# require_serial: true +# entry: terraform_docs_replace +# language: python +# files: (\.tf)$ +# exclude: \.terraform/.*$ + +# - id: terraform_validate +# name: Terraform validate +# description: Validates all Terraform configuration files. +# require_serial: true +# entry: hooks/terraform_validate.sh +# language: script +# files: \.(tf(vars)?|terraform\.lock\.hcl)$ +# exclude: \.terraform/.*$ + +# - id: terraform_providers_lock +# name: Lock terraform provider versions +# description: Updates provider signatures in dependency lock files. +# require_serial: true +# entry: hooks/terraform_providers_lock.sh +# language: script +# files: (\.terraform\.lock\.hcl)$ +# exclude: \.terraform/.*$ + +# - id: terraform_tflint +# name: Terraform validate with tflint +# description: Validates all Terraform configuration files with TFLint. +# require_serial: true +# entry: hooks/terraform_tflint.sh +# language: script +# files: (\.tf|\.tfvars)$ +# exclude: \.terraform/.*$ + +# - id: terragrunt_fmt +# name: Terragrunt fmt +# description: Rewrites all Terragrunt configuration files to a canonical format. +# entry: hooks/terragrunt_fmt.sh +# language: script +# files: (\.hcl)$ +# exclude: \.terraform/.*$ + +# - id: terragrunt_validate +# name: Terragrunt validate +# description: Validates all Terragrunt configuration files. +# entry: hooks/terragrunt_validate.sh +# language: script +# files: (\.hcl)$ +# exclude: \.terraform/.*$ + +# - id: terragrunt_validate_inputs +# name: Terragrunt validate inputs +# description: Validates Terragrunt unused and undefined inputs. +# entry: hooks/terragrunt_validate_inputs.sh +# language: script +# files: (\.hcl)$ +# exclude: \.terraform/.*$ + +# - id: terragrunt_providers_lock +# name: Terragrunt providers lock +# description: Updates provider signatures in dependency lock files using terragrunt. +# entry: hooks/terragrunt_providers_lock.sh +# language: script +# files: (terragrunt|\.terraform\.lock)\.hcl$ +# exclude: \.(terraform/.*|terragrunt-cache)$ + +# - id: terraform_tfsec +# name: Terraform validate with tfsec (deprecated, use "terraform_trivy") +# description: Static analysis of Terraform templates to spot potential security issues. +# require_serial: true +# entry: hooks/terraform_tfsec.sh +# files: \.tf(vars)?$ +# language: script + +# - id: terraform_trivy +# name: Terraform validate with trivy +# description: Static analysis of Terraform templates to spot potential security issues. +# require_serial: true +# entry: hooks/terraform_trivy.sh +# files: \.tf(vars)?$ +# language: script + +# - id: checkov +# name: checkov (deprecated, use "terraform_checkov") +# description: Runs checkov on Terraform templates. +# entry: checkov -d . +# language: python +# pass_filenames: false +# always_run: false +# files: \.tf$ +# exclude: \.terraform/.*$ +# require_serial: true + +# - id: terraform_checkov +# name: Checkov +# description: Runs checkov on Terraform templates. +# entry: hooks/terraform_checkov.sh +# language: script +# always_run: false +# files: \.tf$ +# exclude: \.terraform/.*$ +# require_serial: true + +# - id: terraform_wrapper_module_for_each +# name: Terraform wrapper with for_each in module +# description: Generate Terraform wrappers with for_each in module. +# entry: hooks/terraform_wrapper_module_for_each.sh +# language: script +# pass_filenames: false +# always_run: false +# require_serial: true +# files: \.tf$ +# exclude: \.terraform/.*$ + +# - id: terrascan +# name: terrascan +# description: Runs terrascan on Terraform templates. +# language: script +# entry: hooks/terrascan.sh +# files: \.tf$ +# exclude: \.terraform/.*$ +# require_serial: true + +# - id: tfupdate +# name: tfupdate +# description: Runs tfupdate on Terraform templates. +# language: script +# entry: hooks/tfupdate.sh +# args: +# - --args=terraform +# files: \.tf$ +# require_serial: true From 0d87a7e7515c7ff2a0a7da29a4fb819e700567b3 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 1 Aug 2024 00:36:09 -0400 Subject: [PATCH 10/35] =?UTF-8?q?=F0=9F=91=B7=20build(.cz.yaml):=20add=20c?= =?UTF-8?q?ommitizen=20config=20file=20>>>=20=E2=8F=B0=202h?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit install commitizen with pip install commitizen --- .cz.yaml | 8 ++++++++ .pre-commit-config.yaml | 5 +++++ 2 files changed, 13 insertions(+) create mode 100644 .cz.yaml diff --git a/.cz.yaml b/.cz.yaml new file mode 100644 index 0000000..35aa66f --- /dev/null +++ b/.cz.yaml @@ -0,0 +1,8 @@ +--- +commitizen: + major_version_zero: true + name: cz_gitmoji + tag_format: $version + update_changelog_on_bump: true + version: 0.0.1 + version_scheme: semver2 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3fc319d..4fb8e19 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -92,3 +92,8 @@ repos: exclude: \.(terraform/.*|terragrunt-cache)$ args: - --hook-config=--parallelism-ci-cpu-cores=2 + +- repo: https://github.com/ljnsn/cz-conventional-gitmoji + rev: v0.3.2 + hooks: + - id: conventional-gitmoji From d33b0642c3f258d409676c490cdb033800d4f892 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 1 Aug 2024 00:37:01 -0400 Subject: [PATCH 11/35] =?UTF-8?q?=F0=9F=93=9D=20docs(CHANGELOG.md):=20adde?= =?UTF-8?q?d=20a=20changelog=20by=20running=20cz=20ch=20>>>=20=E2=8F=B0=20?= =?UTF-8?q?15m?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..3a3b34e --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,5 @@ +## Unreleased + +### 💚👷 CI & Build + +- **.cz.yaml**: add commitizen config file >>> ⏰ 2h From 0b40fcddf15af298d8414e185987e321ffc131d2 Mon Sep 17 00:00:00 2001 From: Matthew Creal Morgan Date: Thu, 1 Aug 2024 10:29:00 -0700 Subject: [PATCH 12/35] add dependabot --- .github/dependabot.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..4eeafeb --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "daily" From 78b82a594138c57c46a0e33920e9ef551241c2c0 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 1 Aug 2024 13:30:40 -0400 Subject: [PATCH 13/35] =?UTF-8?q?=F0=9F=92=9A=20ci(.github/dependabot.yml)?= =?UTF-8?q?:=20add=20dependabot=20for=20terraform?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4eeafeb..867570d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,7 +5,7 @@ version: 2 updates: - - package-ecosystem: "" # See documentation for possible values + - package-ecosystem: "terraform" # See documentation for possible values directory: "/" # Location of package manifests schedule: interval: "daily" From 91f6e0f89cf1d118904f93f71d8a112c1d0e8824 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 1 Aug 2024 14:07:31 -0400 Subject: [PATCH 14/35] =?UTF-8?q?=F0=9F=92=9A=20ci(test.yml):=20added=20te?= =?UTF-8?q?st.yml=20to=20demonstrate=20how=20commitizen=20and=20pre-commit?= =?UTF-8?q?-hooks=20work=20>>>=20=E2=8F=B0=2015m?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- test.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 test.yml diff --git a/test.yml b/test.yml new file mode 100644 index 0000000..e69de29 From 02c32a812abbd0c8ad6fe5aabe262e770cb63325 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 1 Aug 2024 16:04:50 -0400 Subject: [PATCH 15/35] =?UTF-8?q?=F0=9F=90=9B=20fix(dummy-vpc):=20add=20fi?= =?UTF-8?q?lter=20and=20tag=20for=20dummy-vpc?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 6 ++++++ dns_zones.tf | 4 ++++ test.yml | 0 3 files changed, 10 insertions(+) delete mode 100644 test.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a3b34e..26e49d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,4 +2,10 @@ ### 💚👷 CI & Build +- **test.yml**: added test.yml to demonstrate how commitizen and pre-commit-hooks work >>> ⏰ 15m +- **.github/dependabot.yml**: add dependabot for terraform - **.cz.yaml**: add commitizen config file >>> ⏰ 2h + +### 📝💡 Documentation + +- **CHANGELOG.md**: added a changelog by running cz ch >>> ⏰ 15m diff --git a/dns_zones.tf b/dns_zones.tf index 195e03a..389a58e 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -136,6 +136,10 @@ data "aws_vpc" "dummy_vpc" { name = "tag:Name" values = ["vpc0-dummy"] } + filter { + name = "tag:eks-cluster-name" + values = [var.cluster_name] + } } resource "aws_vpc" "vpc" { diff --git a/test.yml b/test.yml deleted file mode 100644 index e69de29..0000000 From d748aa6aa972c4915d1f1997583bd2b99cba9b1a Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 1 Aug 2024 17:17:16 -0400 Subject: [PATCH 16/35] =?UTF-8?q?=F0=9F=90=9B=20fix(dns=5Fzones.tf):=20add?= =?UTF-8?q?ed=20cluster=20name=20tag=20to=20vpc?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- dns_zones.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/dns_zones.tf b/dns_zones.tf index 389a58e..af4f1fd 100644 --- a/dns_zones.tf +++ b/dns_zones.tf @@ -149,6 +149,7 @@ resource "aws_vpc" "vpc" { tags = merge( var.tags, { "Name" = "vpc0-dummy" }, + { "eks-cluster-name" = var.cluster_name } ) } From ba88ed6258736c9fc4647c8177a543d83892947a Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 1 Aug 2024 17:51:01 -0400 Subject: [PATCH 17/35] =?UTF-8?q?=F0=9F=93=9D=20docs(changelog):=20moved?= =?UTF-8?q?=20old=20changelog=20to=20changelog.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 14 ++++++++++++++ README.md | 14 -------------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 26e49d8..ac89fdb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,3 +9,17 @@ ### 📝💡 Documentation - **CHANGELOG.md**: added a changelog by running cz ch >>> ⏰ 15m + + +* 0.0.4 -- 2024-07-31 + - add operators_ns +* 0.0.3 -- 2024-07-30 + - updated to use karpenter + - misc cleanup + - add hack dns for today until modules work +* 0.0.2 -- 2024-07-22 + - updated version.tf to 0.0.2 + - add kube.config update after cluster create + - update ami_type to AL2023 + - update upstream cluster module to 20.20.0 + - created changelog diff --git a/README.md b/README.md index f4e161d..9a83406 100644 --- a/README.md +++ b/README.md @@ -12,20 +12,6 @@ aws-ebs-csi-driver coredns kube-proxy -# CHANGELOG -* 0.0.4 -- 2024-07-31 - - add operators_ns -* 0.0.3 -- 2024-07-30 - - updated to use karpenter - - misc cleanup - - add hack dns for today until modules work -* 0.0.2 -- 2024-07-22 - - updated version.tf to 0.0.2 - - add kube.config update after cluster create - - update ami_type to AL2023 - - update upstream cluster module to 20.20.0 - - created changelog - ## Requirements From 292289124c8327a7bfb3b62167d0a1bc3cce4ef4 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 1 Aug 2024 19:28:55 -0400 Subject: [PATCH 18/35] =?UTF-8?q?=E2=9C=A8=20feat(amazon-cloudwatch-observ?= =?UTF-8?q?ability):=20add=20cloudwatch=20addon=20instead=20of=20cloudwatc?= =?UTF-8?q?h=20module?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 1 + irsa_roles.tf | 16 ++++++++++++++++ main.tf | 6 +++++- 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9a83406..109ae83 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,7 @@ kube-proxy | Name | Source | Version | |------|--------|---------| +| [cloudwatch\_irsa\_role](#module\_cloudwatch\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.20.0 | | [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | diff --git a/irsa_roles.tf b/irsa_roles.tf index 52754d7..c04c22a 100644 --- a/irsa_roles.tf +++ b/irsa_roles.tf @@ -47,3 +47,19 @@ module "efs_csi_irsa_role" { } tags = local.tags } + +# tflint-ignore: terraform_module_version +module "cloudwatch_irsa_role" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + + role_name = "${var.cluster_name}-cloudwatch-addon" + # attach_cloudwatch_addon_policy = true + + oidc_providers = { + main = { + provider_arn = module.cluster.oidc_provider_arn + namespace_service_accounts = ["kube-system:cloudwatch-sa"] + } + } + tags = local.tags +} diff --git a/main.tf b/main.tf index fead34b..3b245b1 100644 --- a/main.tf +++ b/main.tf @@ -111,6 +111,10 @@ module "cluster" { most_recent = true service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn } + amazon-cloudwatch-observability = { + most_recent = true + service_account_role_arn = module.cloudwatch_irsa_role.iam_role_arn + } } eks_managed_node_group_defaults = { @@ -170,7 +174,7 @@ resource "aws_security_group_rule" "allow_sidecar_injection" { # Update KubeConfig after cluster complete ################################################################ resource "null_resource" "kube_config_create" { - depends_on = [module.cluster.cluster_name] + depends_on = [module.cluster.time_sleep.this] provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] command = "aws eks --region ${data.aws_region.current.name} update-kubeconfig --name ${module.cluster.cluster_name} --profile=${var.profile} && export KUBE_CONFIG_PATH=~/.kube/config && export KUBERNETES_MASTER=~/.kube/config" From fd61dceaa787d7551f3ebb784a96fd57c52a5e13 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 1 Aug 2024 20:30:35 -0400 Subject: [PATCH 19/35] =?UTF-8?q?=F0=9F=90=9B=20fix(irsa=5Froles.tf):=20up?= =?UTF-8?q?date=20vars=20from=20module?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- irsa_roles.tf | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/irsa_roles.tf b/irsa_roles.tf index c04c22a..53ca2b6 100644 --- a/irsa_roles.tf +++ b/irsa_roles.tf @@ -52,13 +52,16 @@ module "efs_csi_irsa_role" { module "cloudwatch_irsa_role" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - role_name = "${var.cluster_name}-cloudwatch-addon" - # attach_cloudwatch_addon_policy = true + role_name = "${var.cluster_name}-cloudwatch-addon" + attach_cloudwatch_log_streaming_policy = true oidc_providers = { main = { - provider_arn = module.cluster.oidc_provider_arn - namespace_service_accounts = ["kube-system:cloudwatch-sa"] + provider_arn = module.cluster.oidc_provider_arn + namespace_service_accounts = [ + "amazon-cloudwatch:cloudwatch-agent-sa", + "amazon-cloudwatch:fluentbit-sa" + ] } } tags = local.tags From c0b914b83579eee049273551a83a306a08669d9d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 1 Aug 2024 20:46:24 -0400 Subject: [PATCH 20/35] =?UTF-8?q?=F0=9F=90=9B=20fix(irsa=5Froles.tf):=20us?= =?UTF-8?q?e=20cannonical=20module=20ref?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- irsa_roles.tf | 9 ++++----- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 109ae83..8273c7a 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ kube-proxy | Name | Source | Version | |------|--------|---------| -| [cloudwatch\_irsa\_role](#module\_cloudwatch\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | +| [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.20.0 | | [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | | [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a | diff --git a/irsa_roles.tf b/irsa_roles.tf index 53ca2b6..a1129b5 100644 --- a/irsa_roles.tf +++ b/irsa_roles.tf @@ -49,18 +49,17 @@ module "efs_csi_irsa_role" { } # tflint-ignore: terraform_module_version -module "cloudwatch_irsa_role" { +module "cloudwatch_observability_irsa_role" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - role_name = "${var.cluster_name}-cloudwatch-addon" - attach_cloudwatch_log_streaming_policy = true + role_name = "${var.cluster_name}-cloudwatch-observability" + attach_cloudwatch_observability_policy = true oidc_providers = { main = { provider_arn = module.cluster.oidc_provider_arn namespace_service_accounts = [ - "amazon-cloudwatch:cloudwatch-agent-sa", - "amazon-cloudwatch:fluentbit-sa" + "amazon-cloudwatch:cloudwatch-agent" ] } } From 4c9554e4ecee6bc1487497feecf62f4092685b7d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 1 Aug 2024 20:49:06 -0400 Subject: [PATCH 21/35] =?UTF-8?q?=F0=9F=90=9B=20fix(main.tf):=20fix=20irsa?= =?UTF-8?q?=5Frole=20ref=20from=20update=20>>>=20=E2=8F=B0=205m?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 3b245b1..5fc4754 100644 --- a/main.tf +++ b/main.tf @@ -113,7 +113,7 @@ module "cluster" { } amazon-cloudwatch-observability = { most_recent = true - service_account_role_arn = module.cloudwatch_irsa_role.iam_role_arn + service_account_role_arn = module.cloudwatch_observability_irsa_role.iam_role_arn } } From 7fd2843e688d840b859332d2dace3e2f71e73c8b Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 1 Aug 2024 20:52:10 -0400 Subject: [PATCH 22/35] =?UTF-8?q?=F0=9F=90=9B=20fix(main.tf):=20update=20d?= =?UTF-8?q?epends=5Fon?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 5fc4754..e05d975 100644 --- a/main.tf +++ b/main.tf @@ -174,7 +174,7 @@ resource "aws_security_group_rule" "allow_sidecar_injection" { # Update KubeConfig after cluster complete ################################################################ resource "null_resource" "kube_config_create" { - depends_on = [module.cluster.time_sleep.this] + depends_on = [module.cluster.time_sleep] provisioner "local-exec" { interpreter = ["/bin/bash", "-c"] command = "aws eks --region ${data.aws_region.current.name} update-kubeconfig --name ${module.cluster.cluster_name} --profile=${var.profile} && export KUBE_CONFIG_PATH=~/.kube/config && export KUBERNETES_MASTER=~/.kube/config" From c774f52d2dded1b4881fab3d9d1bc643fd8520e5 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 1 Aug 2024 21:28:58 -0400 Subject: [PATCH 23/35] =?UTF-8?q?=F0=9F=90=9B=20fix(main.tf):=20add=20shor?= =?UTF-8?q?t=20sleep=20after=20kube=20update?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index e05d975..a464336 100644 --- a/main.tf +++ b/main.tf @@ -185,6 +185,7 @@ resource "null_resource" "kube_config_create" { #### 07-31-2024 - mcm (remove this if group decides on putting in config) resource "kubernetes_namespace" "operators" { depends_on = [null_resource.kube_config_create] + wait = true metadata { name = var.operators_ns } From 02c78958103adeb43b536605b498ecede69a88ba Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 2 Aug 2024 00:08:24 -0400 Subject: [PATCH 24/35] =?UTF-8?q?=F0=9F=90=9B=20fix(main.tf):=20removed=20?= =?UTF-8?q?invalied=20property=20>>>=20=E2=8F=B0=201m?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/main.tf b/main.tf index a464336..e05d975 100644 --- a/main.tf +++ b/main.tf @@ -185,7 +185,6 @@ resource "null_resource" "kube_config_create" { #### 07-31-2024 - mcm (remove this if group decides on putting in config) resource "kubernetes_namespace" "operators" { depends_on = [null_resource.kube_config_create] - wait = true metadata { name = var.operators_ns } From 0b0fd4ac64fb3e60f4cf8e91780de7272f92a950 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 2 Aug 2024 14:28:46 -0400 Subject: [PATCH 25/35] =?UTF-8?q?=F0=9F=90=9B=20fix(main.tf):=20add=20time?= =?UTF-8?q?=5Fsleep=20before=20operators=20create?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 3 +++ main.tf | 7 ++++++- requirements.tf | 4 ++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8273c7a..9f1003b 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,7 @@ kube-proxy | [aws](#requirement\_aws) | >= 5.14.0 | | [kubernetes](#requirement\_kubernetes) | >= 2.31.0 | | [null](#requirement\_null) | >= 3.2.1 | +| [time](#requirement\_time) | >= 0.9.1 | ## Providers @@ -32,6 +33,7 @@ kube-proxy | [aws.self](#provider\_aws.self) | 5.60.0 | | [kubernetes](#provider\_kubernetes) | 2.31.0 | | [null](#provider\_null) | 3.2.2 | +| [time](#provider\_time) | 0.12.0 | ## Modules @@ -60,6 +62,7 @@ kube-proxy | [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource | | [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [null_resource.kube_config_create](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [time_sleep.let_kube_boot](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | diff --git a/main.tf b/main.tf index e05d975..072245f 100644 --- a/main.tf +++ b/main.tf @@ -181,10 +181,15 @@ resource "null_resource" "kube_config_create" { } } +resource "time_sleep" "let_kube_boot" { + depends_on = [null_resource.kube_config_create] + create_duration = "19s" +} + #### NEED TO MOVE THIS TO A PROPER PLACE - Added to tfmod-eks to validate kube_config_create #### 07-31-2024 - mcm (remove this if group decides on putting in config) resource "kubernetes_namespace" "operators" { - depends_on = [null_resource.kube_config_create] + depends_on = [time_sleep.let_kube_boot] metadata { name = var.operators_ns } diff --git a/requirements.tf b/requirements.tf index 958be0a..22f56b0 100644 --- a/requirements.tf +++ b/requirements.tf @@ -14,5 +14,9 @@ terraform { source = "hashicorp/null" version = ">= 3.2.1" } + time = { + source = "hashicorp/time" + version = ">= 0.9.1" + } } } From 8074a4e6014e62e0c635b36761bc710e941a6e30 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 2 Aug 2024 16:22:53 -0400 Subject: [PATCH 26/35] =?UTF-8?q?=F0=9F=90=9B=20fix(main.tf):=20remove=20o?= =?UTF-8?q?perators=20due=20to=20timing=20issues?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 7 ------- main.tf | 14 -------------- requirements.tf | 8 -------- variables.tf | 6 ------ 4 files changed, 35 deletions(-) diff --git a/README.md b/README.md index 9f1003b..9acb2bb 100644 --- a/README.md +++ b/README.md @@ -19,9 +19,7 @@ kube-proxy |------|---------| | [terraform](#requirement\_terraform) | >= 0.13 | | [aws](#requirement\_aws) | >= 5.14.0 | -| [kubernetes](#requirement\_kubernetes) | >= 2.31.0 | | [null](#requirement\_null) | >= 3.2.1 | -| [time](#requirement\_time) | >= 0.9.1 | ## Providers @@ -31,9 +29,7 @@ kube-proxy | [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | 5.60.0 | | [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | 5.60.0 | | [aws.self](#provider\_aws.self) | 5.60.0 | -| [kubernetes](#provider\_kubernetes) | 2.31.0 | | [null](#provider\_null) | 3.2.2 | -| [time](#provider\_time) | 0.12.0 | ## Modules @@ -60,9 +56,7 @@ kube-proxy | [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource | -| [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [null_resource.kube_config_create](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | -| [time_sleep.let_kube_boot](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | @@ -91,7 +85,6 @@ kube-proxy | [eks\_ng\_min\_size](#input\_eks\_ng\_min\_size) | Node Group minimum size | `number` | `4` | no | | [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry | `bool` | `false` | no | | [lb\_subnets\_name](#input\_lb\_subnets\_name) | Define the name of the subnets to be used by this cluster | `string` | `"*-private-lb-*"` | no | -| [operators\_ns](#input\_operators\_ns) | Namespace to create where operators will be installed. | `string` | `"operators"` | no | | [os\_username](#input\_os\_username) | OS username from environment variable, ideally as $USER | `string` | `null` | no | | [profile](#input\_profile) | AWS config profile | `string` | `""` | no | | [region](#input\_region) | AWS config region | `string` | `""` | no | diff --git a/main.tf b/main.tf index 072245f..22ab235 100644 --- a/main.tf +++ b/main.tf @@ -180,17 +180,3 @@ resource "null_resource" "kube_config_create" { command = "aws eks --region ${data.aws_region.current.name} update-kubeconfig --name ${module.cluster.cluster_name} --profile=${var.profile} && export KUBE_CONFIG_PATH=~/.kube/config && export KUBERNETES_MASTER=~/.kube/config" } } - -resource "time_sleep" "let_kube_boot" { - depends_on = [null_resource.kube_config_create] - create_duration = "19s" -} - -#### NEED TO MOVE THIS TO A PROPER PLACE - Added to tfmod-eks to validate kube_config_create -#### 07-31-2024 - mcm (remove this if group decides on putting in config) -resource "kubernetes_namespace" "operators" { - depends_on = [time_sleep.let_kube_boot] - metadata { - name = var.operators_ns - } -} diff --git a/requirements.tf b/requirements.tf index 22f56b0..2f6cccc 100644 --- a/requirements.tf +++ b/requirements.tf @@ -6,17 +6,9 @@ terraform { source = "hashicorp/aws" version = ">= 5.14.0" } - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 2.31.0" - } null = { source = "hashicorp/null" version = ">= 3.2.1" } - time = { - source = "hashicorp/time" - version = ">= 0.9.1" - } } } diff --git a/variables.tf b/variables.tf index 9a4c157..e83369e 100644 --- a/variables.tf +++ b/variables.tf @@ -73,12 +73,6 @@ variable "eks_ng_max_size" { default = 15 } -variable "operators_ns" { - description = "Namespace to create where operators will be installed." - type = string - default = "operators" -} - # tflint-ignore: terraform_unused_declarations variable "access_entries" { description = "Map of access entries to add to the cluster" From 23e90041854cad4270648d8d326f76f8f5055168 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 2 Aug 2024 18:10:28 -0400 Subject: [PATCH 27/35] =?UTF-8?q?=F0=9F=91=B7=20build(cz):=20update=20cz?= =?UTF-8?q?=20to=20use=20scm=20for=20version?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .cz.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cz.yaml b/.cz.yaml index 35aa66f..b1981ec 100644 --- a/.cz.yaml +++ b/.cz.yaml @@ -4,5 +4,5 @@ commitizen: name: cz_gitmoji tag_format: $version update_changelog_on_bump: true - version: 0.0.1 + version_provider: scm version_scheme: semver2 From f1a898ea93d0702a3d9d23df0c44a08573fcf1f5 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 2 Aug 2024 18:23:11 -0400 Subject: [PATCH 28/35] =?UTF-8?q?=F0=9F=92=9A=20ci(.cz.yaml):=20update=20c?= =?UTF-8?q?ommitizen=20to=20use=20scm=20for=20version?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- terragrunt.hcl => examples/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename terragrunt.hcl => examples/terragrunt.hcl (99%) diff --git a/terragrunt.hcl b/examples/terragrunt.hcl similarity index 99% rename from terragrunt.hcl rename to examples/terragrunt.hcl index 676bf73..1f59309 100644 --- a/terragrunt.hcl +++ b/examples/terragrunt.hcl @@ -56,7 +56,7 @@ locals { } terraform { - source = "../tfmod-eks" + source = "../../tfmod-eks" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20m"] From d88be8914f0492a72fa6f9c946a553a4e2f2e8f5 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 2 Aug 2024 20:18:15 -0400 Subject: [PATCH 29/35] =?UTF-8?q?=E2=9C=A8=20feat(main.tf):=20added=20adot?= =?UTF-8?q?,=20snapshot-controller,=20and=20updated=20docs?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 20 ++++++++++++++++---- main.tf | 8 +++++++- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 9acb2bb..cee7fb8 100644 --- a/README.md +++ b/README.md @@ -7,10 +7,22 @@ The cluster is configured with an oidc provider allowing service accounts to be Addons installed: +adot +amazon-cloudwatch-observability aws-efs-csi-driver aws-ebs-csi-driver coredns kube-proxy +snapshot-controller + +Successful completion should show: + +Apply complete! Resources: 73 added, 0 changed, 0 destroyed. + +And should take on average: +real 13m27.720s +user 0m24.466s +sys 0m2.938s ## Requirements @@ -25,10 +37,10 @@ kube-proxy | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.60.0 | -| [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | 5.60.0 | -| [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | 5.60.0 | -| [aws.self](#provider\_aws.self) | 5.60.0 | +| [aws](#provider\_aws) | 5.61.0 | +| [aws.route53\_main\_east](#provider\_aws.route53\_main\_east) | 5.61.0 | +| [aws.route53\_main\_west](#provider\_aws.route53\_main\_west) | 5.61.0 | +| [aws.self](#provider\_aws.self) | 5.61.0 | | [null](#provider\_null) | 3.2.2 | ## Modules diff --git a/main.tf b/main.tf index 22ab235..9e95bb0 100644 --- a/main.tf +++ b/main.tf @@ -82,8 +82,8 @@ module "cluster" { access_entries = local.access_entries cluster_enabled_log_types = [ - "audit", "api", + "audit", "authenticator", "controllerManager", "scheduler", @@ -115,6 +115,12 @@ module "cluster" { most_recent = true service_account_role_arn = module.cloudwatch_observability_irsa_role.iam_role_arn } + adot = { + most_recent = true + } + snapshot-controller = { + most_recent = true + } } eks_managed_node_group_defaults = { From 56d7e718affc34c7155b86d36a1ed5e16adc0ec9 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 2 Aug 2024 20:58:46 -0400 Subject: [PATCH 30/35] =?UTF-8?q?=F0=9F=90=9B=20fix(main.tf):=20no=20adot?= =?UTF-8?q?=20avail=20for=201.30?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/main.tf b/main.tf index 9e95bb0..76b0668 100644 --- a/main.tf +++ b/main.tf @@ -115,9 +115,6 @@ module "cluster" { most_recent = true service_account_role_arn = module.cloudwatch_observability_irsa_role.iam_role_arn } - adot = { - most_recent = true - } snapshot-controller = { most_recent = true } From c06cd158dd78218c456cafd04516161164a9afd6 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 2 Aug 2024 22:02:39 -0400 Subject: [PATCH 31/35] =?UTF-8?q?=F0=9F=93=9D=20docs:=20update=20resource?= =?UTF-8?q?=20counts=20on=20apply/destroy?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index cee7fb8..a79a184 100644 --- a/README.md +++ b/README.md @@ -17,12 +17,19 @@ snapshot-controller Successful completion should show: -Apply complete! Resources: 73 added, 0 changed, 0 destroyed. +Apply complete! Resources: 74 added, 0 changed, 0 destroyed. + +And should take around: +real 11m32.883s +user 0m18.010s +sys 0m2.131s + +Successful destroy should show: +Destroy complete! Resources: 74 destroyed. +real 11m22.795s +user 0m18.300s +sys 0m2.160s -And should take on average: -real 13m27.720s -user 0m24.466s -sys 0m2.938s ## Requirements From f4aeaf147ffc214e7f0c203f436bef9041710074 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 2 Aug 2024 22:15:26 -0400 Subject: [PATCH 32/35] =?UTF-8?q?=F0=9F=94=96=20bump:=20version=200.0.0=20?= =?UTF-8?q?=E2=86=92=200.1.0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 39 ++++++++++++++++++++++++--------------- 1 file changed, 24 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ac89fdb..7dd3b19 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,25 +1,34 @@ -## Unreleased +## 0.1.0 (2024-08-02) + +### ✨ Features + +- **main.tf**: added adot, snapshot-controller, and updated docs +- **amazon-cloudwatch-observability**: add cloudwatch addon instead of cloudwatch module + +### 🐛🚑️ Fixes + +- **main.tf**: no adot avail for 1.30 +- **main.tf**: remove operators due to timing issues +- **main.tf**: add time_sleep before operators create +- **main.tf**: removed invalied property >>> ⏰ 1m +- **main.tf**: add short sleep after kube update +- **main.tf**: update depends_on +- **main.tf**: fix irsa_role ref from update >>> ⏰ 5m +- **irsa_roles.tf**: use cannonical module ref +- **irsa_roles.tf**: update vars from module +- **dns_zones.tf**: added cluster name tag to vpc +- **dummy-vpc**: add filter and tag for dummy-vpc ### 💚👷 CI & Build +- **.cz.yaml**: update commitizen to use scm for version +- **cz**: update cz to use scm for version - **test.yml**: added test.yml to demonstrate how commitizen and pre-commit-hooks work >>> ⏰ 15m - **.github/dependabot.yml**: add dependabot for terraform - **.cz.yaml**: add commitizen config file >>> ⏰ 2h ### 📝💡 Documentation +- update resource counts on apply/destroy +- **changelog**: moved old changelog to changelog.md - **CHANGELOG.md**: added a changelog by running cz ch >>> ⏰ 15m - - -* 0.0.4 -- 2024-07-31 - - add operators_ns -* 0.0.3 -- 2024-07-30 - - updated to use karpenter - - misc cleanup - - add hack dns for today until modules work -* 0.0.2 -- 2024-07-22 - - updated version.tf to 0.0.2 - - add kube.config update after cluster create - - update ami_type to AL2023 - - update upstream cluster module to 20.20.0 - - created changelog From a465cd5368ad84279378c24813ce66e37b0733f4 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 5 Aug 2024 15:12:30 -0400 Subject: [PATCH 33/35] =?UTF-8?q?=F0=9F=93=9D=20docs(versions.tf):=20bumpe?= =?UTF-8?q?d=20the=20version?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- version.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.tf b/version.tf index 932356f..ae23120 100644 --- a/version.tf +++ b/version.tf @@ -1,4 +1,4 @@ locals { module_name = "tfmod-eks" - module_version = "0.0.4" + module_version = "0.1.0" } From 62c579ae8d52fd1394dfb211b8ce759e65d02bfa Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 6 Aug 2024 14:17:01 -0400 Subject: [PATCH 34/35] =?UTF-8?q?=F0=9F=9A=A8=20fix-lint(repo):=20response?= =?UTF-8?q?s=20to=20pr=20feedback=20-=20remove=20disabled=20code?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .pre-commit-config.yaml | 55 +++++++------ .pre-commit-hooks.yaml | 170 ---------------------------------------- .tflint.hcl | 8 -- README.md | 24 ++++-- examples/terragrunt.hcl | 57 +++----------- main.tf | 2 - 6 files changed, 53 insertions(+), 263 deletions(-) delete mode 100644 .pre-commit-hooks.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4fb8e19..ab93da6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -33,7 +33,6 @@ repos: rev: v4.0.0-alpha.8 hooks: - id: prettier - # https://prettier.io/docs/en/options.html#parser files: '.json5$' # Terraform Hooks @@ -65,33 +64,33 @@ repos: exclude: \.(terraform/.*|terragrunt-cache)$ args: - --hook-config=--parallelism-ci-cpu-cores=2 - - id: terragrunt_validate - name: Terragrunt validate - description: Validates all Terragrunt configuration files. - entry: hooks/terragrunt_validate.sh - language: script - files: (\.hcl)$ - exclude: \.(terraform/.*|terragrunt-cache)$ - args: - - --hook-config=--parallelism-ci-cpu-cores=2 - - id: terragrunt_validate_inputs - name: Terragrunt validate inputs - description: Validates Terragrunt unused and undefined inputs. - entry: hooks/terragrunt_validate_inputs.sh - language: script - files: (\.hcl)$ - exclude: \.(terraform/.*|terragrunt-cache)$ - args: - - --hook-config=--parallelism-ci-cpu-cores=2 - - id: terragrunt_providers_lock - name: Terragrunt providers lock - description: Updates provider signatures in dependency lock files using terragrunt. - entry: hooks/terragrunt_providers_lock.sh - language: script - files: (terragrunt|\.terraform\.lock)\.hcl$ - exclude: \.(terraform/.*|terragrunt-cache)$ - args: - - --hook-config=--parallelism-ci-cpu-cores=2 + # - id: terragrunt_validate + # name: Terragrunt validate + # description: Validates all Terragrunt configuration files. + # entry: hooks/terragrunt_validate.sh + # language: script + # files: (\.hcl)$ + # exclude: \.(terraform/.*|terragrunt-cache)$ + # args: + # - --hook-config=--parallelism-ci-cpu-cores=2 + # - id: terragrunt_validate_inputs + # name: Terragrunt validate inputs + # description: Validates Terragrunt unused and undefined inputs. + # entry: hooks/terragrunt_validate_inputs.sh + # language: script + # files: (\.hcl)$ + # exclude: \.(terraform/.*|terragrunt-cache)$ + # args: + # - --hook-config=--parallelism-ci-cpu-cores=2 + # - id: terragrunt_providers_lock + # name: Terragrunt providers lock + # description: Updates provider signatures in dependency lock files using terragrunt. + # entry: hooks/terragrunt_providers_lock.sh + # language: script + # files: (terragrunt|\.terraform\.lock)\.hcl$ + # exclude: \.(terraform/.*|terragrunt-cache)$ + # args: + # - --hook-config=--parallelism-ci-cpu-cores=2 - repo: https://github.com/ljnsn/cz-conventional-gitmoji rev: v0.3.2 diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml deleted file mode 100644 index 266f0c7..0000000 --- a/.pre-commit-hooks.yaml +++ /dev/null @@ -1,170 +0,0 @@ -#### THESE ARE NOT ENABLED, THEY ARE FOR REFERENCE -# - id: infracost_breakdown -# name: Infracost breakdown -# description: Check terraform infrastructure cost -# entry: hooks/infracost_breakdown.sh -# language: script -# require_serial: true -# files: \.(tf(vars)?|hcl)$ -# exclude: \.terraform/.*$ - -# - id: terraform_fmt -# name: Terraform fmt -# description: Rewrites all Terraform configuration files to a canonical format. -# entry: hooks/terraform_fmt.sh -# language: script -# files: (\.tf|\.tfvars)$ -# exclude: \.terraform/.*$ - -# - id: terraform_docs -# name: Terraform docs -# description: Inserts input and output documentation into README.md (using terraform-docs). -# require_serial: true -# entry: hooks/terraform_docs.sh -# language: script -# files: (\.tf|\.terraform\.lock\.hcl)$ -# exclude: \.terraform/.*$ - -# - id: terraform_docs_without_aggregate_type_defaults -# name: Terraform docs (without aggregate type defaults) -# description: Inserts input and output documentation into README.md (using terraform-docs). Identical to terraform_docs. -# require_serial: true -# entry: hooks/terraform_docs.sh -# language: script -# files: (\.tf)$ -# exclude: \.terraform/.*$ - -# - id: terraform_docs_replace -# name: Terraform docs (overwrite README.md) -# description: Overwrite content of README.md with terraform-docs. -# require_serial: true -# entry: terraform_docs_replace -# language: python -# files: (\.tf)$ -# exclude: \.terraform/.*$ - -# - id: terraform_validate -# name: Terraform validate -# description: Validates all Terraform configuration files. -# require_serial: true -# entry: hooks/terraform_validate.sh -# language: script -# files: \.(tf(vars)?|terraform\.lock\.hcl)$ -# exclude: \.terraform/.*$ - -# - id: terraform_providers_lock -# name: Lock terraform provider versions -# description: Updates provider signatures in dependency lock files. -# require_serial: true -# entry: hooks/terraform_providers_lock.sh -# language: script -# files: (\.terraform\.lock\.hcl)$ -# exclude: \.terraform/.*$ - -# - id: terraform_tflint -# name: Terraform validate with tflint -# description: Validates all Terraform configuration files with TFLint. -# require_serial: true -# entry: hooks/terraform_tflint.sh -# language: script -# files: (\.tf|\.tfvars)$ -# exclude: \.terraform/.*$ - -# - id: terragrunt_fmt -# name: Terragrunt fmt -# description: Rewrites all Terragrunt configuration files to a canonical format. -# entry: hooks/terragrunt_fmt.sh -# language: script -# files: (\.hcl)$ -# exclude: \.terraform/.*$ - -# - id: terragrunt_validate -# name: Terragrunt validate -# description: Validates all Terragrunt configuration files. -# entry: hooks/terragrunt_validate.sh -# language: script -# files: (\.hcl)$ -# exclude: \.terraform/.*$ - -# - id: terragrunt_validate_inputs -# name: Terragrunt validate inputs -# description: Validates Terragrunt unused and undefined inputs. -# entry: hooks/terragrunt_validate_inputs.sh -# language: script -# files: (\.hcl)$ -# exclude: \.terraform/.*$ - -# - id: terragrunt_providers_lock -# name: Terragrunt providers lock -# description: Updates provider signatures in dependency lock files using terragrunt. -# entry: hooks/terragrunt_providers_lock.sh -# language: script -# files: (terragrunt|\.terraform\.lock)\.hcl$ -# exclude: \.(terraform/.*|terragrunt-cache)$ - -# - id: terraform_tfsec -# name: Terraform validate with tfsec (deprecated, use "terraform_trivy") -# description: Static analysis of Terraform templates to spot potential security issues. -# require_serial: true -# entry: hooks/terraform_tfsec.sh -# files: \.tf(vars)?$ -# language: script - -# - id: terraform_trivy -# name: Terraform validate with trivy -# description: Static analysis of Terraform templates to spot potential security issues. -# require_serial: true -# entry: hooks/terraform_trivy.sh -# files: \.tf(vars)?$ -# language: script - -# - id: checkov -# name: checkov (deprecated, use "terraform_checkov") -# description: Runs checkov on Terraform templates. -# entry: checkov -d . -# language: python -# pass_filenames: false -# always_run: false -# files: \.tf$ -# exclude: \.terraform/.*$ -# require_serial: true - -# - id: terraform_checkov -# name: Checkov -# description: Runs checkov on Terraform templates. -# entry: hooks/terraform_checkov.sh -# language: script -# always_run: false -# files: \.tf$ -# exclude: \.terraform/.*$ -# require_serial: true - -# - id: terraform_wrapper_module_for_each -# name: Terraform wrapper with for_each in module -# description: Generate Terraform wrappers with for_each in module. -# entry: hooks/terraform_wrapper_module_for_each.sh -# language: script -# pass_filenames: false -# always_run: false -# require_serial: true -# files: \.tf$ -# exclude: \.terraform/.*$ - -# - id: terrascan -# name: terrascan -# description: Runs terrascan on Terraform templates. -# language: script -# entry: hooks/terrascan.sh -# files: \.tf$ -# exclude: \.terraform/.*$ -# require_serial: true - -# - id: tfupdate -# name: tfupdate -# description: Runs tfupdate on Terraform templates. -# language: script -# entry: hooks/tfupdate.sh -# args: -# - --args=terraform -# files: \.tf$ -# require_serial: true diff --git a/.tflint.hcl b/.tflint.hcl index 30b0d2c..684d807 100644 --- a/.tflint.hcl +++ b/.tflint.hcl @@ -2,14 +2,6 @@ config { module = true force = false disabled_by_default = false - - # ignore_module = { - # "terraform-aws-modules/vpc/aws" = true - # "terraform-aws-modules/security-group/aws" = true - # } - - # varfile = ["example1.tfvars", "example2.tfvars"] - # variables = ["foo=bar", "bar=[\"baz\"]"] } rule "aws_instance_invalid_type" { diff --git a/README.md b/README.md index a79a184..f023066 100644 --- a/README.md +++ b/README.md @@ -5,31 +5,39 @@ The module creates an EKS cluster named cluster_name in the region using kuberen The cluster is configured with an oidc provider allowing service accounts to be configured with IRSA roles as needed. +## Addons Addons installed: -adot -amazon-cloudwatch-observability -aws-efs-csi-driver -aws-ebs-csi-driver -coredns -kube-proxy -snapshot-controller +* amazon-cloudwatch-observability +* aws-ebs-csi-driver +* aws-efs-csi-driver +* coredns +* kube-proxy +* snapshot-controller +### Apply Successful completion should show: - +```terraform Apply complete! Resources: 74 added, 0 changed, 0 destroyed. And should take around: real 11m32.883s user 0m18.010s sys 0m2.131s +``` +### Destroy Successful destroy should show: +```terraform Destroy complete! Resources: 74 destroyed. real 11m22.795s user 0m18.300s sys 0m2.160s +``` +#### Changelog +Change logs are auto-generated with commitizen. +[CHANGELOG.md](CHANGELOG.md) ## Requirements diff --git a/examples/terragrunt.hcl b/examples/terragrunt.hcl index 1f59309..3181d3e 100644 --- a/examples/terragrunt.hcl +++ b/examples/terragrunt.hcl @@ -1,15 +1,5 @@ -# include "root" { -# path = find_in_parent_folders() -# expose = true -# } - locals { - # account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl")) - # region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) - # In which AWS region are operations being performed - # account_id = local.account_vars.locals.aws_account_id - account_id = 123456789012 - # region = local.region_vars.locals.aws_region + account_id = 123456789012 region = "us-gov-east-1" vpc_name = "vpc3-lab-dev" cluster_name = "example-cluster" @@ -32,27 +22,6 @@ locals { "slim:schedule" = "8:00-17:00" "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" } - - # aws_auth_roles = [ - # { - # rolearn : "arn:aws-us-gov:iam::224384469011:role/AWSReservedSSO_inf-admin-t3_b200ae7af469cdc8" - # aws_rolename : "" - # username : "admin" - # groups = ["system:masters"] - # }, - # { - # rolearn : "arn:aws-us-gov:iam::224384469011:role/r-inf-terraform" - # aws_rolename : "" - # username : "admin" - # groups = ["system:masters"] - # }, - # { - # rolearn : "arn:aws-us-gov:iam::224384469011:role/AWSReservedSSO_inf-admin-t2_f3912d726991bbfa" - # aws_rolename : "" - # username : "admin" - # groups = ["system:masters"] - # } - # ] } terraform { @@ -64,25 +33,19 @@ terraform { } inputs = { - # aws_account_id = local.account_id - profile = local.profile - vpc_name = local.eks_vpc_name - cluster_name = local.cluster_name - cluster_version = local.cluster_version - eks_instance_disk_size = local.eks_instance_disk_size - # eks_vpc_name = local.eks_vpc_name - # eks_instance_types = local.eks_instance_types + profile = local.profile + vpc_name = local.eks_vpc_name + cluster_name = local.cluster_name + cluster_version = local.cluster_version + eks_instance_disk_size = local.eks_instance_disk_size eks_ng_desired_size = local.eks_ng_desired_size eks_ng_max_size = local.eks_ng_max_size eks_ng_min_size = local.eks_ng_min_size - operators_ns = local.operators_ns enable_cluster_creator_admin_permissions = local.enable_cluster_creator_admin_permissions cluster_endpoint_public_access = local.cluster_endpoint_public_access tags = local.tags - # aws_auth_roles = local.aws_auth_roles - vpc_domain_name = local.vpc_domain_name - region = local.region - # creator = local.cluster_mailing_list - os_username = local.cluster_mailing_list - shared_vpc_label = "dev" + vpc_domain_name = local.vpc_domain_name + region = local.region + os_username = local.cluster_mailing_list + shared_vpc_label = "dev" } diff --git a/main.tf b/main.tf index 76b0668..f444ab0 100644 --- a/main.tf +++ b/main.tf @@ -40,9 +40,7 @@ locals { CostAllocation = var.tag_costallocation } - # TBD - Why do we need nlb-policy additional_policies = { - # 'nlb-policy' = aws_iam_policy.nlb-policy.arn } ng_name = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name) From 725ccbe7ac75ef84b712c7e4edd64c474b4ca0fc Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 6 Aug 2024 14:26:40 -0400 Subject: [PATCH 35/35] =?UTF-8?q?=F0=9F=9A=A8=20fix-lint(.pre-commit-confi?= =?UTF-8?q?g.yaml):=20commented=20the=20terragrunt=20actions?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit need minified terragrunt.hcl to be created in the future. --- .pre-commit-config.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ab93da6..3d8476f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -64,6 +64,7 @@ repos: exclude: \.(terraform/.*|terragrunt-cache)$ args: - --hook-config=--parallelism-ci-cpu-cores=2 + ### DISABLED UNTIL MINIFIED TERRAGRUNT.HCL IS CREATED # - id: terragrunt_validate # name: Terragrunt validate # description: Validates all Terragrunt configuration files.